Towards the end of March 2017, the Constitution, Law and Justice Committee approved the new regulations for the protection of privacy.
What it means?
Any body in Israel that maintains a database that is defined under the Protection of Privacy Law according to the levels of security defined in the regulations will be bound by the new regulations.
The regulations explain in detail that there are about four types of databases, each database has its own security lifting.
The security levels that are regulated are:
- Databases managed by an individual.
- Basic security level - This definition includes business owners who hold databases such as a mailing list, etc., and the impressive approach to the database does not exceed ten people.
- Medium- They are accessed by databases that have access to more than ten people and hold sensitive information such as criminal, medical, and other information.
- High security level - Which include reservoirs of more than 100,000 people and the number of those licensed to the reservoir exceeds one hundred.
So after the introduction, what are the regulations actually and what do they say?
- Security- The database owners must formulate a document "Information Security Procedure" which will include:
How to deal with information security events, the risks to which the database is exposed and ways of handling, access to the database, a description of the security measures, and security instructions of the database among other things.
- Physical and Environmental Security- This regulation requires that the systems in which the database is located will be stored in a protected place, which matches the nature of the reservoir and the level of sensitivity of the information therein.
- The database definitions document - A document that contains the definitions of the database, its uses and the various types of information that are included in the database.
The document must be updated at any time when a significant change will be made in the database and the level of necessity of maintaining the database will be examined once a year.
- Manage Access Permissions- The access to the database will be determined according to the job definition and an updated list of valid permissions will be maintained. Permission to access the database will be given after reasonable measures have been taken in the employee selection process.
- Risk Survey and Mapping Systems - An updated document of the structure of the database, which will include, among other things, types of communication components, software systems used to operate the database, a survey to locate information security risks,
- Outsourcing- A regulation that determines the provisions regarding communications with external entities for the purpose of obtaining service - which involves providing access to the database.
- Periodic reviews - internal or external auditing by the appropriate entity and the appropriate bodies with the appropriate training in order to ensure compliance with the provisions of the regulations.
- Security Event Documentation- Documentation of all security events in relation to the database by the owner of the database.
- Communication Security- A regulation that states that any system in which the database is run will not be connected to the Internet or a public run without appropriate means of protection against unauthorized penetration.
- Mobile Devices- The owner of the database must prevent the possibility of connecting mobile devices to the reservoir systems or, alternatively, restrict it by using the usual means of protection.
- Backup and Recovery- Procedures will be established for the backup and recovery of the information according to the level of sensitivity of the information in the database.
How will you know which procedures you should follow?
If you have a database managed by an individual, that is, at the most basic level of security, you have very limited obligations, including the preparation of the reservoir definition document only.
While storage owners in the other security levels are required to prepare a more detailed definition document in which the data collection will be defined, the purpose of its use and whether no transit information is collected.
Database owners who are under the highest level of security will be required to conduct all surveys, prepare all documents, document all security events and generally comply with all regulations without exception.
Why were the regulations made?
Following the aggressive gathering of information by technology companies and any company that holds information and sensitive details about its customers (from phone number and email to medical, security or criminal information), the Constitution Committee defined the regulations to ensure the privacy of citizens.
You may come across the definition of GDPR (General Data Protection Regulation) - this definition is roughly the same as the Israeli regulations, and its purpose is to regulate the protection of the personal information of EU citizens held by the various commercial companies.
An important detail to consider is the penalties for not complying with information security regulations.
In the information and you store information about the EU, the GDPR regulations will charge you a penalty of about 4% of your financial turnover or a fine of 20 million euros (whichever is higher).
While in Israel the penalty is up to five years in prison, if proof of criminal liability of a husband in the database, and can be sued for infringement in civil court.
So if you have information, big or small it is important that you recognize the significant advantage of the regulations. When you follow the rules of the so-called book and protect the privacy of your customers, you have earned their trust. If we admit it, it is the most important thing when conducting a business.