"Due to the rise in cyberattacks and data security events, directors are required to ensure the preparedness of the company for events of this type," - so warned Adv. Reuven Eidelman, Privacy Protection Authority legal advisor at a conference organized by Pearl Cohen Zedek Latzer Baratz law firm. Code Blue founder and CEO and former Deputy Head of the National Cyber Directorate Refael Franco said that more than 60% of companies choose to pay ransoms following cyberattacks.
"The main purpose from our point of view is to make directors play a more proactive role in the way that the company relates to personal data," said Adv. Eidelman, Head of the Legal Department at the Privacy Protection Authority. At the conference, organized by Pearl Cohen Zedek Latzer Baratz law firm, in cooperation with the GCS (General Counsels) for GCS organization, following a new instruction by the Privacy Protection Authority requiring directors to supervise data security at the company.
Eidelman said that directors are required, "To ask questions and demand answers about how the company is prepared to cope with events, and what sort of personal data the company uses, and if there is consent from people, if the data is transferred abroad, and more."
Eidelman emphasized that it is the responsibility of the board of directors to protect as far as possible the information held in the enterprise’s networks. He said that in the coming years directors will be required to increase their involvement on the issue, among other things, "Due to the growth in cyberattacks in Israel and around the world, especially since the outbreak of the war, which has caused a significant rise in threats on companies and the entire economy."
The enforcement by the Privacy Protection Authority, remarked Eidelman, is aimed at companies and not the directors themselves. The Privacy Protection Authority checks whether the company is bringing the issues before the directors, as required by the instruction. In instances of violations, sanctions could be imposed on the company, including financial sanctions, according to Amendment 13 of the Privacy Protection Law, which grants the Authority broad powers of enforcement. Together with this, Eidelman explains that the instruction on the matter of the responsibility of directors is not aimed at every company with a databank but rather companies in which the management of personal information is at the core of their activities.
Code Blue founder and CEO and former Deputy Head of the National Cyber Directorate Refael Franco revealed at the conference that despite the advanced protection means that they operate, more than 60% of companies choose to pay the ransoms that hackers demand from them. He recommends that companies prepare for these attacks and he stressed that he is against paying ransoms.
"If we prepare correctly and we undertake preparations for the crisis, the likelihood of the unexpected in a cyberattack event will be reduced," he said. For this reason, Franco recommends focusing on several key aspects when preparing for a cyberattack. Among other things, he says, the company must understand who the attacker is, ensure that the company complies with regulatory requirements and that investment in data security is above the average in the sector, and examine the multidimensional organizational capability to recover from and prepare for a cyberattack event.
Franco warns that the threat on Israel’s economic space has strengthened, especially since the events of October 7. He said that Iran and cyber criminals are taking advantage of the most advanced technology in order to implement more intelligent and more damaging attacks, including data encryption, theft and blackmailing clients. "We are seeing a major change here - the attackers are no longer hiding and the threat is becoming overt and clear," he said.
Adv. Haim Ravia, Partner and Chair of the Cyber, Privacy & Copyright Practice Group at the Pearl Cohen law firm said that the Privacy Protection Authority’s instruction to directors places a heavy burden on them. He warned that the tests for the directive's applicability require examination and judgment by each company, and that the main tool it calls for in its implementation - a company enforcement plan - is familiar in the context of Securities and Competition law but is still new in the context of privacy.
Adv. Ilan Gerzi Partner, Chair of the Capital Markets & Securities Practice Group at Pearl Cohen observed that the US ruling on the issue is also expected to affect the courts in Israel. "The US courts have set in a number of rulings the actions that a reasonable board of directors is expected to take in order to prepare for cyberattacks, reduce the chance of their occurrence and reduce the damages that might be caused as a result. In the meantime, the criteria and reporting deadlines have been set in relation to the occurrence of a cyberattack event, its scope and the damages that might be caused as a result. There is no doubt that these criteria will be adopted and implemented in the rulings of the courts in Israel, and will serve as a benchmark regarding the board of directors' responsibilities of care, taking into account the instructions of the Israel Securities Authority and privacy protection laws."
Gerzi said, "US regulators have for some time been imposing fines, ranging from a few million dollars to hundreds of millions of dollars, on corporations operating in the US or traded on US stock exchanges. At this stage, there have been rulings for Israeli companies to pay compensation of a few million shekels, but it seems that the compensation amounts will also increase significantly depending on the extent of the damage caused to the corporation’s customers and shareholders in the companies.
Published by Globes, Israel business news - en.globes.co.il - on December 9, 2024
© Copyright of Globes Publisher Itonut (1983) Ltd., 2024