Israel has enjoyed momentous development of the warfare against cyber-attacks over the last few years. However, the legal field has lacked such advance. While we witness technological improvements we have never seen before, we lag behind most of the developed countries on legal aspects. Israeli legislation in this field is mostly outdated.
Therefore, it was encouraging to hear the announcement given a few days ago by the Law, Technology and Information Authority (LTIA) of the Ministry of Justice (which is in charge of the enforcement and application of privacy laws and protection of personal information laws in Israel) regarding new information security regulations. The Authority designed these regulations and the Knesset is expected to approve them soon. The regulations may address only the protection of personal information, but this information is extremely valuable.
The approval of these regulations will be a first and important step. They should begin to establish the duties of Israeli organizations who manage or hold personal information, in favor of the battle against possible cyber-attacks against certain organizations, both private and public. They are meant to reduce the risk of misuse of the information such organizations store or attempts to compromise their information security.
The new regulations seek to clarify issues of information security that arise out of existing laws and regulations that do not fit the current technological era. The novelty and main point in these regulations is the duty to inform LTIA about any severe cyber-attack that leads to any breach or exposure of organizational databases that contain personal information. Furthermore, the regulations determine that LTIA is authorized to order the owners of databases to inform those who provided their information about any relevant data breach.
Moreover, the new regulations require organizations to settle and predefine internal procedures, specifying their organizational practices and ability to manage different information security events and clarifying the duties and responsibilities of those who have access to the information stored by the organization. The draft of these regulations includes a long list of actions an organization must take in order to resolve any information security issue.
The information security regulations are an addition to the procedures determined by other institutions that supervise organizations from specific fields, such as the Banking Supervisor and the Insurance Supervisor. But what about other active organizations in the market? What code requires them to protect the information stored on their systems, other than the personal information, which just recently gained such legal protection?
Our information might be safer now that the information security regulations have been approved, but there is still no binding code concerning the remaining data. The unprotected sources include the all the technology developed in the country, copyrights and sometimes patents, sensitive business information and all the existing financial systems of companies. There is no binding data protection code for any of those in Israel.
A country that is so exposed to cyber-attacks should have a binding code of protection of computerized systems, at least with regard to the leading companies in the market. Such code would address the possible breaches to the systems of these companies. Beyond any tangible damage, such breaches would be a horrific embarrassment to the Israeli market and compromise our global image.
Therefore, the legislator must intervene and support the battle against cyber-attacks. The Knesset should create legislation concerning all the aspects of this issue. Such legislation may also establish the activity of the Israeli cyber industry, the plausibility of information export and receipt of similar knowledge, and any other issue the book of laws should address in a developed country.