The Israeli Privacy Protection Authority has rigidified its published policy on data breach notifications, emphasizing that it now requires that “immediate” notification be given upon the discovery, or reasonably suspected occurrence, of a serious information security incident.
According to the Protection of Privacy Regulations (Information Security) from 2017, a controller or processor with a database subject to a high or intermediate level of information security must provide an immediate report to the Privacy Protection Authority. But so far, the Authority’s publications have stated that the appropriate timescale to report such an incident is 24 hours from discovery, and in any case no later than 72 hours from discovery.
In September, the Authority changed its position and is now demanding that the notification be made immediately, given the increase in serious information security incidents in all companies and organizations in the Israeli economy, both private and public. The Authority asserts that immediate reporting together with the Authority’s availability to assist in the early stages of the incident will allow the Authority to professionally advise the organization, and help it to mitigate the adverse consequences of the incident and the monetary and reputational damage to the organization.
Click here to read the revised policy on the Israeli Privacy Protection Authority’s website (in Hebrew).