The Commissioner of the Privacy Protection Authority Adv. Gilad Semama told a conference earlier this month, "Since the beginning of the Swords of Iron War, we see an increase by three times in serious cyberattacks against Israeli companies. Even before the war, the data security observance in companies was not satisfying, and therefore companies and organizations must give more emphasis on compliance with the Privacy Protection Law and regulations (data security), as is relevant at the current time. A company that does not secure its data and does not comply with the provisions of the privacy protection regulations puts itself at great risk of losing its assets and collapsing."
Adv. Semama was speaking at a conference led by the Privacy Protection Authority and Israel Directors Union, regarding the new proposed instructions of the Authority on the role of the board of directors in carrying out corporate duties, in connection with privacy protection regulations (data security), which are stimulating discussions and concerns among directors in the Israeli economy.
According to the draft guidelines, published for the public’s comments in September 2023,the Privacy Protection Authority’s position is that when considering corporate governance principles and the customary division of duties between the organs of a corporation, in general the board of directors is the appropriate body to ensure the existence and performance of certain supervisory duties, imposed under the regulations on a company.
The duties the draft guidance refers to include determining the organs within the organization responsible for carrying out the regulations’ requirements, applying a mechanism for supervision, monitoring, compliance and updating on the fulfillment of the requirements under the regulations by those responsible in the organization; and setting policy decisions regarding the ways personal data is used by the organization, and the management of other material decisions in this regard.
In addition, the draft guidance suggests the board of directors will carry out directly some of the actions required under the regulations, including among other things, the approval of the database definitions document and the main principles of the organization’s data security procedure, as well as discussing risk surveys’ results and appropriate solutions to deficiencies found.
Adv. Semama said, "The area of data security supervision should also be set out before the board member who needs to display vigilance and awareness of compliance with the standards of data security regulations in the company. This would be a binding directive and not a recommendation, aimed at companies and organizations which the field of data processing is at the core of their activities, or in companies where there is a significant risk regarding privacy protection. At the moment, this is a draft regulation, and we have received public comments. Our goal is to create a fitting instruction, while at the same time, it is also important to understand that the time has come to raise the standard of data security in companies."
Directors who took part in the event raised the concern that the new instruction might assign executive duties to the board of directors, and therefore may not be applicable, while exposing them to regulatory sanctions.
Adv. Vered Zlaikha, Partner and Head of Cyber Affairs and AI Practice at Lipa Meir & Co. Advocates praised the open dialogue created by the Privacy Protection Authority with the public before publishing the instruction and set out several difficulties that may arise in her perspective regarding the PPA's draft instruction, from the board of directors’ point of view. She said, "We must understand that in the current reality, the proposed instruction is likely to apply to many organizations in the economy. Directors should outline strategies and risk management in companies, when cybersecurity is one of those risks that must be considered. In this regard, the Authority’s instructions may help to raise the board of directors’ awareness and provide them with the tools to fulfill their role. However, the draft that has been brought before the public raises concern that directors will become an executive body instead of a supervisory body in some respects.
Adv. Zlaikha also addressed the concern about the responsibility that lays with the directors for data security deficiencies. "The fact that the board of directors should be informed and supervise the company's security practices, while demonstrating proactivity in the supervision of risk surveys in the organization, does not necessarily mean that the board of directors should bear the responsibility of a database controller, according to the regulations in this context. In my opinion, the board of directors should be involved regarding deficiencies found in risk surveys, as well as oversee that a course of action to solve these data security deficiencies has been found, but the responsibility for finding solutions to deficiencies, rests with the senior management level. The difficulty is in the Authority's requirement presenting that directors bear a direct duty under the regulations if the new instruction draft is adopted as it was published.
Hadar Zofiof Hacohen, CEO of the Israel Directors Union expressed concerns about the interpretation of the corporate law as may be understood from in the document, and regarding the possible damage to corporate governance if the draft directive, is approved as published, without the relevant changes. She also stated, The Union will continue in its mission to hold meetings of this type in order to provide directors with an enabling environment for their voices to be heard both when formulating legislation or new instructions and regarding proposals for streamlining from the field to promote a transparent, credible and secure market."
Published by Globes, Israel business news - en.globes.co.il - on March 26, 2024.
© Copyright of Globes Publisher Itonut (1983) Ltd., 2024.