Legal Liability in Data Breaches in Israel: Where Do We Really Stand?

Home Page » Professional information » Legal Liability in Data Breaches in Israel: Where Do We Really Stand?

A data breach isn't just a headline—it's a real-time business, legal, and human crisis. This article focuses on the situation in Israel: what the law says, what happens in practice, and why executives, IT professionals, and CISOs must stay alert. We'll briefly compare global standards, but the spotlight is here, at home.

2023 was another year in which data breaches dominated the headlines—but how much has really changed? According to IBM’s latest report, the average global cost of a data breach in 2023 was around $4.45 million per organization. In Israel, the main legal framework is the Protection of Privacy Law, 1981, and the Privacy Protection Regulations (Data Security), 2017. But is this enough? Is it enforced? And is your organization truly ready for the moment of truth?

What Does the Law Say in Israel?

Internal Documentation – According to Regulation 11(a) of the Privacy Protection Regulations (Data Security), database owners must have a documented procedure for handling data security incidents.
Reporting to Authorities – Regulation 11(b) requires reporting “as soon as possible” in the case of a “severe security incident,” such as a breach, disruption, or unauthorized use.
Notifying the Public? – There is no legal obligation to inform affected data subjects; this is left to the discretion of the Privacy Protection Authority.

Problems That Need Fixing

The Public Often Remains in the Dark – Without mandatory notification, the right of individuals to know about data breaches is compromised.
“As Soon as Possible” Is Too Vague – Clear legislative definitions of reporting deadlines are needed (the authority’s 2021 procedure adopts a 72-hour standard).
Penalties Are Too Weak – According to Section 31G of the Protection of Privacy Law, the maximum fines are NIS 50,000 for corporations and NIS 20,000 for individuals—far from deterrent.
Enforcement Is Almost Nonexistent – According to the authority’s reports, only a handful of financial penalties have been imposed, even in large-scale incidents.

Real-World Examples

Shirbit (2020) – A major cyberattack resulted in the leakage of personal data of hundreds of thousands. The fine: NIS 100,000. A class action lawsuit seeking hundreds of millions of shekels was also filed.
Clalit Health Services (2021) – Sensitive medical data of hundreds of thousands of patients was leaked. The fine: only NIS 50,000. No individuals were directly notified.

What About Personal Liability?

It’s not enough to write policies—someone has to take responsibility.

Corporate Officers – Section 31Z of the Protection of Privacy Law requires officers to supervise and do everything in their power to prevent violations. Breaches may result in administrative fines.
In Severe Cases – Personal tort liability may arise due to negligence (as per the British Canadian Builders v. Oren ruling).
No Criminal Liability Yet – But globally, such trends are emerging. In Israel? Not yet.

What Every Manager Should Do:

Document every decision and recommendation related to information security.
Regularly update the board on risks and preparedness.
Acquire professional liability insurance tailored to cybersecurity.
Ensure policies are up to date and that ongoing training is conducted.

What About the Cloud?

Everyone’s in the cloud—but who’s responsible when a breach occurs?

Cloud Providers – Responsible for infrastructure.
The Organization – Responsible for configurations, permissions, and the data itself.
Contracts – Most cloud providers limit their liability in contracts, leaving the legal exposure to the organization.

Practical Recommendations:

Read every clause in cloud contracts—especially indemnity and liability sections.
Prepare a tailored incident response procedure in advance: team, templates, legal advisors.

Summary – Where Does This Meet You?

Israeli Law Is Evolving – But still lacking. We need more transparency, more enforcement authority, and more personal accountability.
If You’re in Charge of Data – Take this personally.
Don’t Wait for the Breach – Build your mechanisms today. It’s not “if it happens”—it’s when.

Footnotes

IBM Security. (2023). Cost of a Data Breach Report 2023. Retrieved from https://www.ibm.com/reports/data-breach
Israeli Privacy Protection Authority. (July 2021). Administrative Fine Imposed on Shirbit Insurance Company.
Class Action (Tel Aviv District) 28541-12-20 Anonymous v. Shirbit Insurance Company Ltd.
Privacy Protection Law, 1981, Sefer HaHukim 1015.
Privacy Protection Regulations (Data Security), 2017, Kovetz Takkanot 7809.
Israeli Privacy Protection Authority. (February 2021). Procedure for Handling Data Security Incidents.
Section 31G of the Privacy Protection Law, 1981.
Israeli Privacy Protection Authority. (2022). Annual Activity Report.
Section 31Z of the Privacy Protection Law, 1981.
British Canadian Builders Ltd. v. Oren, Civil Appeal 725/78, PD 35(4) 253.

Didn't Find What You
Were Looking For?
Contact Us!

The First Step Starts Here

Professionalism

Our primary asset lies in our human capital, delivering real-time solutions on-site. Therefore, our IT technicians undergo continuous training and certification to ensure top-quality service.

Quality Assurance and Reliability

We implement high-standard quality processes that include clear procedures, documented monitoring, extensive control systems, and thorough inspections.

Availability and Teamwork

We understand the importance of maintaining the continuous operation of our clients' computer systems. Our team ensures full availability to support you whenever needed.

Integrity and Reliability

Integrity and reliability are our guiding principles, serving as a solid foundation for productive and successful collaboration.

Data Protection

T.O.M is committed to maintaining the confidentiality of information and utilizing advanced technological means to safeguard the assets of the organization and, of course, all its clients.