Companies handling personal data deficient 71% of time

Political parties also found to be widely wanting

A man is reflected in a monitor as he takes part in a training session at Cybergym, a cyber-warfare training facility backed by the Israel Electric Corporation, at their training center in Hadera. (photo credit: REUTERS/RONEN ZEVULUN)
A man is reflected in a monitor as he takes part in a training session at Cybergym, a cyber-warfare training facility backed by the Israel Electric Corporation, at their training center in Hadera.
Companies that store and use customers’ personal information are deficient 71% of the time when handling that data, especially with regard to third parties, a report issued on Monday found.
Thirty-six surveyed corporations continued to ignore updated legal guidelines for protecting personal data, the Privacy Protection Authority, a statutory body, said in the report.
Breaking down the 71% figure, the report said 53% of companies handling customers’ personal data in regard to third parties was moderately deficient, while 18% were significantly deficient.
There were some bright spots in the report. In securing customers personal data within their own networks, 81% of companies performed at a high level, 19% were moderately deficient, and none were significantly deficient.
The report said 69% of companies performed at a high level in conducting inspections of their data-protection practices, while 31% were moderately deficient or worse.
In a related development, the Privacy Protection Authority last week recommended that all organizations appoint an executive of sufficiently high standing to be responsible for data protection and sit on the company’s executive board to ensure that information protection is overseen at the highest level.
The authority acknowledged that the law does not yet demand such an appointment, but it stressed the clear shortcomings of most corporations in data protection and urged companies to voluntarily appoint an officer to the role.
A report by the authority released in September said nearly all the country’s political parties were deficient in protecting voter registry data during the last three elections.
Hardly any of the parties had implemented a review of their data-protection capabilities to discover their worst security failings and how to plug them, it said. Almost all of them had afforded access to large portions of the voter registry to far too many activists despite legal requirements that most should only be given limited access to that information.
As with corporations, political parties have also neglected to appoint a designated official to guard voters’ personal data.
Most political parties were prepared to receive voter data from almost any third party without checking whether that third party had acquired the data legally, the report said.
The same disturbing issue arose with political parties failing to ensure privacy protections when they shared voter registry data with the third parties they were working with.
Certain political parties also used third parties to illegally collect data about citizens to try to determine their likely voting patterns, the report said.
In February, the privacy authority issued one of many statements regarding the crisis in which around 6.5 million Israeli voters’ personal information had been leaked. But it gave no details about the consequences of the leak or a timeline to plug it.
The Jerusalem Post recently confirmed with the privacy authority that the probe of the issue is ongoing, and an announcement could be made later this month, but it may be drawn out for a few more months.
The personal information of 6,453,254 Israelis was leaked after the Likud Party uploaded the entire national voter registry to an application, Haaretz reported in February.
Besides the 2006 theft of the voter registry by two state employees for money, the leak is considered the most serious in Israel’s history.
The leaked information includes voters’ names, ID numbers, phone numbers and addresses.
Israeli political parties receive information on voters before elections, and they are bound by law to guard it. They are forbidden from copying, erasing or transferring the registry.
The voter registry was uploaded to an application developed by Elector, a company that Likud used on Election Day. A security breach allowed the voter registry to be downloaded to a computer.
The leak was nothing short of “disastrous” and could endanger national security by providing access to key officials’ personal data to Iran and foreign intelligence agencies, former Shin Bet cyber official Harel Menashri told the Post at the time. The authority has said it would not expedite its findings.
Leading into the April 2019 election, a hack of Blue and White leader Benny Gantz’s cellphone raised questions about whether political parties were sufficiently protected from hackers.