When a Director “Enters an Atraf State” (Goes Frenzy) Because of a Data Breach
Articles

When a Director “Enters an Atraf State” (Goes Frenzy) Because of a Data Breach

Written by

Osnat Nitay
October 12, 2024
Print
PDF

In October 2021, a number of Israeli databases were hacked, the best known of which was the database of the gay dating app, Atraf (the Israeli equivalent of Grindr, which took its place when it collapsed). In one moment, highly sensitive personal information was revealed (including highly confidential details, nude photos, and more), and many users (including those who have not yet come out of the closet) went into a literal state of “Atraf” (the Israeli slang word for “frenzy”), for fear that their identity or details would be revealed. The affair finally ended in an investigation by the Israeli Privacy Authority for suspicion of negligence, the result of which is unknown.

Two and a half years later, at the beginning of 2024, the Atraf application came back to life, and almost at the same time, Amendment 13 to the Israeli Privacy Protection Law was passed, which provisions enter into force in August, 2025, and it updates and clarifies the legislation in the field. The amendment establishes new and advanced arrangements and provides effective enforcement tools in line with the challenges of the digital age, with the intention of increasing the protection of the fundamental right to privacy and strengthening the fight against cyber threats. It imposes liability on corporations in the field of privacy protection and increases supervision on possession and trade in databases while imposing high financial sanctions in the event of a violations. It also creates personal liability for directors and officers. This means that if a corporation does not take care to protect the privacy of its customers, its directors and officers may be personally liable both on the civil and criminal levels.

The amendment also corrects a historical distortion in the law, which in practice required almost any small business to hold a database license (a requirement that in practice could not be enforced at all). After the amendment, it is no longer necessary to register small databases, with the exception of databases intended for trading information. It also updates and clarifies the question of what is considered "sensitive data", for which there is a reporting obligation for any size of database, all while conforming to international standards, including the EU Data Protection Regulation (GDPR).

Although the law currently does not explicitly determine the identity of the corporate body to supervise the implementation of the requirements, a position paper of the Israeli Privacy Authority dated January, 2024, establishes detailed obligations that are the responsibility of the board of directors and requires the members of the board of directors not only to be involved in supervision and control but also to pass the information security procedures, perform risk surveys and ensure that data is protected. This creates a standard of care and exposes directors to personal liability in a manner similar to what was decided, for example, already in 1996 in the Court of Delaware, USA, where shareholders of the Caremark company filed a derivative suit against directors on the grounds that they did put in place adequate internal controls. In that case, the American Court held that the company's board of directors breached the duty to implement control systems and to monitor it.

In light of the above, it is extremely important for any company that maintains a database to create proper procedures and an internal enforcement plan which will not only ensure the protection of data but also protect directors and officers in the event of a risk to the information. It is very important that such a procedure and the internal enforcement plan be built in collaboration with legal advisors with deep knowledge of the field, who will also be involved in the procedures for implementing the plan and enforcing it.