In this newsletter we summarily review developments in the field of private enforcement of protection of privacy and data security of personal information, primarily through the prism of the Privacy Protection Law 5741-1981, and the regulations promulgated thereunder.
In the last two decades we have witnessed significant technological advances manifested in most aspects of everyday life. Alongside the numerous advantages of such technological innovations, there are sever information security risks and data leaks of sensitive personal information.
The Israeli Privacy Protection Law and the regulations promulgated thereunder, impose duties on database owners (controllers), that carry sanctions for a breach of such duties. However, since its legislation in 1981 (prior to the Instagram and Facebook era), the abundance in technological advances led to the law’s failure to address current risks or to properly protect personal information and the right to privacy. Privacy protection legislative processes are slow to progress, thus, legislation lags, failing to address the fast paced and ever-changing technologically advanced reality.
This reality alongside increased public awareness of the risks associated with information security and protection of privacy, brought about a significant increase in private enforcement, amongst others, through the filing of complaints with the relevant authorities as well as through the filing of motions for certification of class actions with the courts. The causes of action underlying these motions and complaints are violations of the Privacy Protection Law and the Information Security Regulations promulgated thereunder, as well as the violation of other related laws overlapping and interfacing with this matter.
This has been a prevalent trend in other countries, and in recent years, this trend has also increased in Israel, with dozens of such privacy related class action certification motions having been filed. Recently, a class action certification motion for NIS 2.6 billion has been filed against HMO Clalit arguing a severe security failure that enabled any person that visited the HMO Clalit website to easily obtain sensitive medical information of all persons insured by the HMO.
Other class action certification motions were filed following hearings or proceedings held by the Israel Privacy Protection Authority and decisions issued thereby in relation to companies that had experienced information security incidents, such as in the case of Ituran Location and Control Ltd., whereby a class action certification motion was filed following an audit conducted by the authority, which revealed security weaknesses on the Ituran website that enabled people to go to private clients’ user pages and view their personal information.
In other instances, the authority becomes involved after a class action certification motion has been filed following a complaint submitted to the authority because of the certification motion. In these instances, the authority initiates administrative proceedings to be held, and the authority’s decision could impact the results of the court proceedings.
Typically, class actions of this kind are for substantial amounts and pertain to a significant number of public members, therefore, the risk associated with these claims is exceptionally high. Therefore, many certification motions are concluded in settlements (often, for significant amounts) and do not reach judicial resolution.
In the U.S. for example, following a cyber-attack against T-Mobile, in which personal details of customers were stolen, including identity numbers, social security numbers and additional personal information, a class action certification motion was filed against T-Mobile which, in July 2022, ended in a settlement by which T-Mobile would pay US$350 million as compensation to the group members as well as cover class plaintiffs’ legal costs and expenses. Furthermore, T-Mobile had undertaken to invest an additional US$150 million over a period of two years in strengthening its information security and other technologies.
In Israel, a lot of class actions filed with the courts, mostly for a security failure, have ended in withdrawals of the claims or settlements. These settlements typically include a court order to rectify the alleged security weaknesses, pay compensation to the group members and cover the legal costs and attorney’s fees. Thus, for example, in the case of Avid Life Media, in which the copying and leaking of personal details of the website’s users by hackers was claimed to have occurred, the Central District Court approved a settlement by which the respondents paid towards a compensation distribution and management fund of approximately NIS 600,000 as well as approximately NIS 147,000 in legal costs and attorney’s fees.
In one of the few legal proceedings that was concluded with a judicial ruling in July 2022, the Haifa District Court dismissed a class action certification motion that alleged a violation of the Privacy Protection Law, following the occurrence of a security breach on the social media platform of Facebook (currently, Meta). In the certification motion it had been argued that Facebook was negligent in taking necessary actions required to protect the personal information of users in a cyber-attack incident. In its defense, Facebook argued that the attack was carried out by criminal entities that exploited a security weakness not previously known of, and, that it was not possible to access the personal details of users on the platform. In this case, the court ruled that the contractual lawful basis is set forth in Facebook’s terms of service, where it states that the services provided “As-Is”, without any guarantee that its services are free of any faults or errors, and further, that applicant failed to prove he sustained any personal damage by the cyber attack nor did he prove that the exposed information had any financial value. It was further ruled that Facebook did not breach its obligation to disclose the cyber-attack; and, that no harm was caused to the privacy of the users without their consent, rather, that Facebook was subject to a malicious attack. This ruling remains subject to a right to an appeal.
Given the above, we recommend adopting several preventative actions to address the above, including, amongst others:
- Take preventative measures and conduct a protection of privacy risks assessment.
- Adopt a compliance program meeting the requirements of applicable privacy laws, which would be tailored to address the risks identified in the assessment.
- Upon the occurrence of an information security incident, consult with a legal counsel with expertise in the field of privacy protection, to ensure that actions taken are compliant with legal requirements and the legal risk is being mitigated properly.
- In instances where legal proceedings have been initiated or a complaint has been filed for violation of privacy laws, it is recommended to seek legal advice on the appropriate measures that should be taken to handle such situations, amongst others, by providing proper and correct guidance in connection with the specific incident.
This newsletter was written by Adv. Hadas Bekel, a partner in the Litigation Department specializing in class actions, together with Adv. Lior Etgar, a partner in the Commercial Department and Head of Protection of Privacy Practice, with the assistance of Adv. Neta Poliak, an associate in the Litigation Department.
|
|
|
_1.png?cache=1659442916386)
