The memorandum of proposed Israeli Cyber Defense and National Cyber Directorate Law, 2018, published in June, proscribes, among other things, the disclosure of “information provided to the organization concerning a cyber-attack and the measures taken by the organization, unless permitted by a qualified employee of the Directorate, under the conditions he may prescribe and subject to any law”. The Memorandum further states that “a person or organization shall not disclose information provided to them, concerning instructions or other information relating to the activity of the Directorate, that a qualified employee has deemed as protected information, valuable security information or classified information”.
The Israeli Protection of Privacy Regulations (Data Security), 5777-2017, known as the ‘Data Security Regulations’, require database owners to promptly notify the Privacy Protection Authority, Israel’s privacy regulator, of any “severe data breach” and describe the measures taken following such security incidents. The Israeli legislature has thus codified the ‘Data Breach Notification’ requirement, a decade after an official committee headed by then Deputy Attorney General, Joshua Shofman, recommended doing so.
Israel is not the first country to legislate a data breach notification requirement. Actually, Israel’s legislation falls far behind countries with similar requirements. The General Data Protection Regulation (GDPR) for example, set out a detailed mechanism by which a data controller must notify the supervisory authority about a personal data breach, not later than 72 hours after becoming aware of it. The notification should include details of the security incident and the measures taken by the organization. To enforce these obligations, the GDPR does not trust organizations’ voluntary willingness. Instead the GDPR threatens companies with sever fines – up to 4% of an organization’s total global turnover in the previous fiscal year or 20 million Euros, whichever is higher. Most importantly, the GDPR directly applies to Israeli companies that offer products and services to European individuals or monitor their behavior. Moreover, all 50 states in the United States have laws requiring data breach notifications when personal information relating to their residents is compromised.
To make the long story short, the bill memorandum prohibits companies from disclosing information about cyber-attacks and the responsive measures taken according to the instructions of the National Cyber Directorate. Yet both Israel's own Data Security Regulations and the GDPR require organizations to notify of data breaches – precisely the same notification that the memorandum seeks to prohibit. So which measures prevails in this conflict of laws? In Israel, when the memorandum becomes law it arguably will prevail over the regulations due to the legislative hierarchy – a statute ranks higher than secondary legislation like regulations. But how will the conflict between data breach notification obligations under foreign laws applicable to Israeli companies be reconciled and the memorandum’s proposed prohibition…?