Privacy Protection Regulation
Attorney Yossi Baruch has extensive experience in the fields of data protection, cybersecurity, privacy, and administrative law.
Between 2019-2021, he worked as an independent lawyer, providing consultation and representation to clients from both the private and public sectors. Previously, from 2009 to 2019, he served as the Director of IS Internal Audit Division at the Israel Tax Authority.
His comprehensive education includes an LLB from Ono Academic College, a Master's degree in Public Policy for Executives from Tel Aviv University, and a Bachelor's degree in Behavioral Sciences from the Open University of Israel. Additionally, he holds prestigious professional certifications such as CDPSE, CRISC, and CISA from ISACA, as well as an EXIN certification in GDPR.
Attorney Baruch is active in professional privacy protection forums, including ISACA and DPC, where he currently serves as the head of the Privacy Protection Forum. His diverse experience and in-depth knowledge enable him to provide his clients with comprehensive and professional legal advice in his areas of expertise
Legal and administrative services in the field of privacy protection regulation in accordance with the applicable law in Israel, Europe (GDPR) and the USA (CPRA, etc.):
-
Outsourced DPO.
-
Mapping the existing situation for identifying and classifying systems/databases used by the organization and examining how they are managed - delineating the applicable obligation according to law/regulations/regulation and analyzing the gap in practice.
-
Preparation and execution of a risk survey and analysis of their impact in the field of information protection, cyber and privacy.
-
Examining information security in the supply chain - in particular with external providers of systems and databases.
-
Control of legal damages following a serious information security incident in an organization with databases.
-
Consulting and representation in administrative or criminal enforcement proceedings before the Privacy Protection Authority of the Ministry of Justice or the State Attorney's Office.
-
Filing a lawsuit or providing legal protection in the event of a violation of a person's privacy without consent, including - an offense against the prohibition of defamation, harassment or sending advertising material through a Bezeq device ("Spam Law").
-
Submitting requests under the Freedom of Information Law.
The list of activities performed by us:
Validating the existence and content of the database definitions table
-
Diagram of the database systems/
-
List of inventory of equipment and technology (hardware and software)/
-
The type of DB in each information system/
-
Agreement and contract specification with each supplier/Processor of a material database system/
-
Characterization of security and privacy in the establishment/development of systems and applications, in accordance with the principles of design for privacy.
Identification and mapping of assets and databases, from various information systems
-
The classification of the sensitivity of the information, the level of security and the resulting conditions for managing the databases:
-
Compliance with the applicability of the relevant normative model in the circumstances of the case - Privacy Protection Law, 1981-1981, Privacy Protection Regulations (Information Security), 2017-2017, European Union Data Protection Regulations (GDPR), local privacy laws in the US states ( CPRA, etc.), as well as an accepted professional standard in the field (ISO 27001, SOC 2, NIST, etc.).
-
Defining officials in the databases, including their area of authority and responsibilities - including drafting appointment letters for the database managers, policies and publishing the appointment of a security officer or DPO.
-
Actual enforcement of the information security policy/procedure - annual examination of security incidents and/or changes in organizational structure/process, and updating the security procedure and/or the database definition table accordingly.
Controlling and enforcing compliance with the provisions of the law/regulation and carrying out the actions required thereby
-
Saving and backing up, including checking the integrity of the recovery, of the security data for at least 24 months.
-
Existence of a procedure for handling a security incident/information leak and/or BCP/DRP, and actual practice (in desktop/full format).
Information security management through HR
-
Getting support in the screening/sorting of a new employee.
-
Conducting suitability/reliability tests for an employee who has access to sensitive business/personal information in the company (finances, trade secrets, etc.).
-
Signing in the employment agreement a commitment to confidentiality and compliance with applicable security and privacy instructions and rules.
-
Having a documented periodic mechanism for basic training and periodic updating of security and privacy instructions is also possible through Lomeda - including phishing or social engineering tests.
-
Obtaining explicit and informed consent in advance and in writing from an employee to monitor and control his physical activity - security cameras, presence/location reporting applications, etc., conceptual - the employer's right to material and intellectual property on all his work products, as well as in the database systems - input/output of information to and from an external source/ Internet or the nature of the use of his files and email (personal/professional/mixed).
-
Having a systematic and documented process of opening/changing/closing authorization throughout the life cycle of an employee.
The existence of a monitoring and control mechanism, preferably technological, to enforce the performance of fundamental security actions on the user
-
Distinguishing in the identification and monitoring from the beginning between managing an ADMIN account of a system or of operating/security means, and a normal user account/USER (personal account only - no generic usernames).
-
Keeping an activity log/LOG of every activity of the users of all essential storage systems - it is monitored periodically and exceptions are handled if necessary.
-
Strong network/application access user password structure - at least 8 alphanumeric fields with special characters, and changed at least once every 90 days.
-
Remote access to the network by typing in a fixed username and password, as well as using MFA or OTP.
-
Collecting or providing information by legal/administrative authority, or by express and informed prior written consent of the subject of the information (directly from him or about him at another institution).
-
Monitoring the number of information subjects in each database (including historical) and regulating the exercise of their right to review, correct, or delete the information about them - including a person in charge and means of contact for an inquiry or complaint in this regard, or to report a possible leak of information from the database.
-
An annual examination that the information kept in the database is not more than necessary to fulfill its purpose, by the principle of contiguity of purpose.
-
Conducting/supervising a periodic audit, privacy/information security risk survey, and/or penetration testing - every 24 or 18 months, depending on the level of security (medium/high).
-
Online registration of the databases with the registrar at the Israel Privacy Protection Authority, if necessary.