Dear clients and friends,
We are pleased to announce the establishment of a unique department in the Israeli legal market, a department which deals exclusively with the Cyber Security practice field.
The legal market in Israel is affected by constant technology changes, and as part of our ongoing efforts to keep in touch with the ever-changing digital world and our commitment to you, our clients, we decided to establish the Cyber Security department.
In this newsletter we will provide you a glimpse to the cyber world, and share with you some of our firm's work in this unique and fascinating practice field.
Adv. Yaron Sobol,
Chair of the Cyber Security department
On last September, Adv. Yaron Sobol and Adv. Shany Winder published in the Haaretz newspaper a fascinating article on the hot topic of - Directors liability in the cyber era.
The article presents the exposure and legal liability of directors in the cyber security era.
14.09.2014 Directors' Liability In The Cyber Age, Haaretz
Directors’ exposure to legal liability in the cyber age is not limited only to risks related directly to the results of cyber security violations, but also extends over potential exposure based on the manner in which the company responds to violations. These are our recommendations.
Adv. Yaron Sobol & Adv. Shany Winder
Cyber security risks top the list of global threats. Corporations and other entities in the market are frequently exposed to complex and sophisticated attempted attacks causing immense damage. Cyber security threats come from various types of potential “players”, such as employees of an organization having access to sensitive information, hackers, social activists, criminal elements, terrorist organizations, corporations, and even countries. Cyber security attacks are carried out for political and protest reasons, for obtaining strategic commercial information, for stealing intellectual property and trade secrets, for espionage, or for terrorist activity.
In recent years there is increased awareness and involvement of countries towards the subject of cyber security, and acknowledgement of the fact that cyber attacks pose a principal threat to state security, to national economies and to critical national infrastructure.
On the international level, the Budapest Convention on Cybercrime came into force in 2004. The Convention requires member states to update and harmonize criminal legislation against cyber crimes.
DEVELOPMENTS AND UPDATES IN ISRAEL
Albeit the State of Israel’s acknowledgement of the national importance of cyber security, we still lack specific and updated laws regulating this area. The relevant laws are the Protection of Privacy Law, the Computers Law and the Regulation of Security in Public Bodies Law.
In 2011 the Israeli Government resolved to “promote national capabilities in cyberspace”, which was the basis for establishing the National Cyber Bureau. Additional authorities operating in this area are the Israeli Law, Information and Technology Authority (ILITA) at the Ministry of Justice and the Government Information Security Authority. Nevertheless, existing regulation on cyber security is limited.
With respect to dealers and brokers, the Israel Securities Authority issued a directive to the licensed corporations with respect to the obligation to set forth procedures pertaining to their manner of operation and management, whereby licensed corporations - which are corporation holding a license under the Portfolio Management Law - must set forth procedures with respect to information security. Similarly, the Bank of Israel plans to increase the involvement of the Bank’s board of directors and management on such matters, including outlining strategy, supervising implementation and receiving periodic reports.
DEVELOPMENTS AND UPDATES IN US LAW
In spite of the legislator’s attempts in recent years to promote specific cyber security enactment, US legislation on cyber security is also outdated. In most US States there are state laws requiring the issuance of reports on infringement of private information, i.e. unauthorized access to protected information. Pursuant to such laws, many people have received notice regarding breach of their private information.
In the absence of coherent and comprehensive legislation, US regulators have begun acting vigorously and aggressively in recent years in the area of cyber security. For example, the US Securities and Exchange Commission (SEC), regulator of publicly traded companies, published in 2011 a directive regarding disclosure of risks and events of cyber intrusion. Said directive is not mandatory, however many companies have made adjustments to comply with it. In addition, in February 2013 US President Barack Obama issued an executive order calling for “improving critical infrastructure cyber security” addressing two principle issues.
First, information sharing between the government and the private sector. Second, protection of privately held critical infrastructure. The executive order promotes voluntary efforts of cooperation between federal authorities and the owners and operators of critical infrastructure, such as the chemical, electric and finance industries, water supply and transportation.
CORPORATE AND DIRECTORS LIABILITY
Even in the absence of specific legislation or regulation on cyber security, failing to take measures for preventing cyber attacks may give rise to liability due to breach of duty of care towards the injured parties. Possible grounds for tort claims against a company include negligence, in the event it is proven that the company is in breach of its duty of care due to failure to protect its Information and Communications Technology (ICT) systems against anticipated risks. In addition, it may be possible to file claims against a company on contractual grounds, in the event breach of contract can be argued under agreements between the company and its clients, unless such situations are excluded in construction of the agreements.
Board of directors’ liability for cyber security intrusions is a new legal discipline gaining speed. Recently, even derivative action has been filed against directors on the grounds of breach of fiduciary duty.
As part of the director’s supervision duties, he must take reasonable measures to protect the private and financial information of the company’s clients. The directors’ exposure to legal liability includes not only risks related to cyber intrusions themselves, but also potential exposure based on the manner in which the company reacted to the intrusion and handled the affair “after the fact”. The problem is that cyber issues are new for most directors, while most of them lack the experience and knowledge required in order to adequately discharge their duties and protect the digital assets of the company. Nevertheless, the board of directors is required to present difficult and complex questions to senior management and ICT personnel and to consult advisors and experts. These are active duties, as opposed to passive policy of restraint. The importance of advance planning before an event of cyber intrusion cannot be overestimated, as opposed to futile attempts at handling crisis after the fact.
RECOMMENDATIONS FOR BOARDS
Hereunder is a non-exhaustive list of issues on the subject of corporate cyber governance that directors can consider upon examining company policy on cyber security:
Determining the factors within the board responsible for examining cyber risks.
Identifying risks, estimating costs and response times.
Preparing a cyber intrusion response plan and cyber disaster recovery plan, as well as plans for handling clients, regulators, shareholders and the media in the event of cyber risk realization.
Making a point of updating the board and senior management regarding cyber risks, cyber security policy and procedures.
Examining company reports under existing and anticipated regulation and legislation.
Cyber security training for employees and application of internal access classification.
Inquiring whether the company conducts cyber security scans of its third party service providers.
Inquiring whether the company requires “full disclosure” with respect to cyber security and at what level, when planning its mergers and acquisitions.
Examining the level of the company’s level of security with respect to the products and services it provides, are there loopholes and is the company correctly choosing technologies.
Top-down obligation to cyber security, including creating an organizational structure that allows reporting security issues to an independent and objective entity in the company.
Employing a qualified ICT team and external independent expert advisers.
Updating procedures, evaluating effectiveness and ability to implement the plans, maintaining sufficient documentation.
Receiving legal advice from a law firm specializing in the field of cyber security.
Purchasing insurance against cyber liability in order to minimize losses that may be caused by cyber security events. Cyber security events may cause loss of sales, prejudice to good will, litigation expenses and settlement costs, regulatory fines, costs of providing notice and defending against state authority inquiries, repairing system impairments and liability to compensate for damages.
REQUIRE REPORTING DUTIES
nother recommendation comes in the field of public company regulation. It is time the Israel Securities Authority determines reporting obligations, to be included in the supervised entities’ periodic reports, on cyber risks to the company and on relevant company policy. Such transparency shall enable the public to correctly estimate the risks of investing in company stock. Regulation 10 of the Securities Regulations (Periodic and Immediate Reports) determines a list of matters to be addressed in the board’s report. Said regulation does not relate to cyber security, and we propose explicitly adding such aspect to the Regulation.
In conclusion, an unprecedented wave of cyber security regulation has hit the US. Despite political and legal difficulties hindering coherent and comprehensive cyber security legislation, the US administrative authorities are not refraining from action, and taking a range of actions to secure cyberspace on the state and civil-business levels. Even if US regulation does not directly apply to Israeli companies, in a world of robust global and international ties, companies wishing to remain relevant or maintain business ties with US companies, are required to adjust themselves to the new and evolving rules.
Israel too is witnessing material changes to existing regulation, which is expected to develop and grow. US regulation is anticipated to continue affecting the conduct of Israeli companies in cyberspace, both as an indicator and catalyst for the Israeli legislator and regulator as well as for companies with international business ties, owning and operating branches in the US, or serving as suppliers or subcontractors of the US Department of Defense. Therefore, thought and strategic planning should be paid towards risk management and conduct of the company and the board, while receiving close counsel.
-------------------------------------------------------------------------
Adv. Yaron Sobol is a partner in Hamburger Evron & Co, chairs the firm’s technology and cyber practice; Adv. Shany Winder is an associate in the technology and cyber practice of Hamburger Evron & Co.
--------------------------------------------------------------------------
This article does not constitute legal advice of any kind and is solely an expression of the authors’ opinion. Seeking suitable and specific legal advice per the case at hand is recommended.
Cyber Security Event at Hamburger Evron & Co.
During June 2014, our firm held a unique ‘Cyber Security event' for the Israeli senior banking and financial community. The event was held in collaboration with ZEK, and led by one of the senior lawyers in the Cyber field - Daniel Gary, Esq.
The event included lectures focused both on theoretical and practical topics in the fields of data protection, cyber-warfare, forensics, e-Discovery and digital privacy.
We were happy to host representatives from the Israeli financial sector, alongside with senior officials in the Israeli banking system, legal advisers and technology experts.
The Cyber Security 7th annual conference
During recent February, Adv. Yaron Sobol (Chair of the Technology and Cyber department at Hamburger Evron & Co.) took part in the 7th Cyber Security annual conference along with 500 other key members and cyber security leaders in Israel.
Among other lecturers - Head of the cyber department at the Israeli Police, Dr. Gabi Siboni, director of the Military and Strategic Affairs Program and Cyber Security Program at the INSS (Institute for National Security Studies) , Israeli Parliament member Mr. Harel Margalit- Chairman of the Israeli Parliament cyber lobby, and many others.
Adv. Yaron Sobol lectured about the “Managers’ liability in the cyber era”. In addition to his lecture, the conference covered a wide range of prominent and significant issues from the cyber world, including national challenges in the cyber space, strategies of dealing with direct cyber-attacks and more.
For those of you who did not attend this fascinating conference, Adv. Yaron Sobol’s lecture can be viewed here (Hebrew), and the full presentation can be viewed here (Hebrew).
The challenge - information privacy
An article published in 'Haaretz' magazine, elaborating on specific aspects of exposing information in the Cyber Era, and the much needed balance between securing the information from cyber risks - and keeping Fundamental rights of the individual.
Over the years, by virtue of our successful comprehensive legal practice, Hamburger Evron & Co. has been repeatedly ranked in many well known and prestigious Israeli and international legal guides, maintaining its reputation as one of Israel's leading law firms.
