Cybersecurity Comparative Guide

Published date19 May 2021
Subject MatterPrivacy, Technology, Privacy Protection, Security
Law FirmNaomi Assia & Co Law Offices
AuthorMs Naomi Assia

1 Legal framework

1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?

The law in Israel uses the terms 'cybersecurity' and 'data protection' for similar purposes with regard to privacy issues in civil procedures. The term 'cybercrime' is used for criminal procedures.

The terms 'cybersecurity' and 'data protection' are not distinguished in current legislation. The Cyber Defence and National Cyber Directorate (see question 3.2) includes a definition of 'cyber protection' and refers to 'data protection'.

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

The key statutory and regulatory provisions that address cyber issues under Israeli law are:

  • the Computer Law, 1995;
  • the Privacy Protection Regulations (Data Security), 2017 (based on the 1981 Privacy Protection Law);
  • the Emergency Regulations, 2020 on the and processing of 'technological information' on Israeli citizens to stop the spread of COVID-19;
  • the Cyber Defence and National Cyber Directorate Bill, which is under negotiation in the Israeli Knesset (Parliament); and
  • the Copyright Law, 2007 - Amendment 5 (2019) on the procedure for the disclosure of the identity of internet users under certain circumstances.

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?

Special cyber laws apply in sectors such as insurance, banking, healthcare and cybersecurity.

(b) Certain types of information (personal data, health information, financial information, classified information)?

The Privacy Protection Regulations (Data Security), 2017 specify the levels of security required for certain types of information, based on the level of data sensitivity as defined under the regulations. They are categorised as follows:

  • databases to which a basic level of security applies;
  • databases to which a medium level of security applies; and
  • databases to which a high level of security applies

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

Paragraph 15 of the Privacy Protection Regulations (Data Security), 2017 deals with outsourcing and specifies the obligations of the outsourced service provider with regard to cybersecurity. The regulations govern the agreement between the Israeli entity and its outsourced service provider (which may be a non-Israeli entity).

1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?

Bilateral or multilateral instruments relating to cyber are provided under paragraph 15 to the Privacy Protection Regulations (Data Security), 2017 (see above).

1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?

The Israeli Computer Law, 1995 sets out the following criminal penalties for cybercrime (eg, hacking, theft of trade secrets).

Paragraph 3 sets out a punishment of imprisonment for five years for those who:

  • transmit or store false information or act on information in a way that results in false information or false output; or
  • write software, transfer software to or store software on a computer so that its use will result in false information or false output, or operate a computer using such software.

In this regard, 'false information' and 'false output' are information and output that may be misleading, depending on their use.

Under Paragraph 4, illegal intrusion of a computer or illegal infiltration of material found on a computer is punishable by three years' imprisonment, except where this is based on the Wiretap Act, 1979.

Paragraph 5 provides that anyone who commits an act that is prohibited by Section 4 in order to commit an offence under any law will be sentenced to five years in prison.

Paragraph 6 provides that:

  • anyone who edits software in such a way that makes it capable of causing damage or disruption to a computer or material stored on a computer, whether specified or unspecified, will be sentenced to three years in prison; and
  • anyone who transfers to another or installs on another's computer software that is capable of causing damage or disruption as stated above, in order to cause unlawful damage or disruption, shall be liable to imprisonment for five years.

2 Enforcement

2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?

Cyber-related civil issues concerning personal information and data security breach are the responsibility of the Israeli Privacy Protection Authority (PPA). The Privacy Protection Regulations (Data Security), 2017 impose a mandatory requirement to notify the PPA of any personal data breach. The PPA is authorised by law to initiate enforcement and supervision of any...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT