If you digitally store your customer or client information (who doesn’t) you could be risking exposure to civil and criminal legal proceedings! Contrary to being the foundation of your operation your business database could be a liability if you don’t take steps to protect it.
If you’re a business owner or manager, you’ve been careful about your contracts and you’re probably storing all your information online, in a database. You’ve got personal details for contacts, customers, employees, suppliers, and everyone in between. But did you know that using a database may expose you to class action suits, individual lawsuits, fines, or even criminal proceedings? Here’s what you need to know about your legally obligations and responsibilities under the law.
Defining a Database
A database can be any digital outlet. Folders on a computer or in the cloud (like Google Drive or Dropbox), CRM software and mailing lists, all qualify as databases and are subject to the requirements of the law.
In order to increase the protection of the personal information every business and organization holds, the legal regulations defining security have been amended. So, because almost every folder on a computer, mailing list or management software is a database, the way you handle it is crucial. Your business database could be a liability if you avoid protecting it.
4 Levels of Security
The law requires that different levels of security be taken depending on the type of business. So, size does matter here. The volume of information, the manner in which it is used, and the type of information stored in the database are all considered.
- A database managed by an individual – This is an independent business owner or a company owned by an individual. For example, a flower shop where the owner has CRM software and stores customer information, phone numbers, addresses and maybe even birthday dates, anniversaries, etc., that are used as a marketing tool.
- Basic security level – This is any business that is not considered an individual and is not at the medium or high level.
- Medium security level – This group includes entities such as: public institutions, companies where there are more than 10 employees who are authorized to use the database. The details in the database are defined as “sensitive information” like medical, genetic, criminal authorizations, etc..
- High security level – These include entities whose purpose is to collect information for another, or the database includes ordinary information about more than 100,000 people.
In some cases, an increased level of security is needed.
- By virtue of ethical rules or professional affiliation. For example, a lawyer or psychiatrist cannot benefit from the security requirements of a database managed by an individual even if it is a self-employed person who works alone from home and his database is a folder on his personal computer. This is because he has a duty of confidentiality due to his profession.
- Due to the purposes of the database. Databases that are intended to collect information in order to provide it to another are required to have a higher level of security. Thus, for example, mailing companies cannot have the same level of security as an individual and a higher standard is required of them.
- And the size does matter. Businesses whose database includes details of more than 10,000 people, regardless of the field of activity and the type of information, will not be able to benefit from the level of security of an individual.
- The nature of use. If the same flower shop owner from the previous example also employs three employees with access to the database, he will no longer be able to enjoy the level of security of an individual.
Don’t Let Your Database Be A Liability, Protect it
You need to apply to the Ministry of Justice in order to register your database. You’ll request a certificate confirming that you own a registered database. If you don’t do this you are holding the database illegally!
The regulations establish mechanisms designed to make information security part of your business management routine in accordance with the sensitivity and scope of the personal information in your database. So, you’ll be required to draw up a definition document for the database, implementing process and technological controls, mapping and conducting a risk survey, setting policies, procedures and more.
Compliance with the requirements of the regulations may reduce the level of business exposure to existing risks in cyberspace and significantly reduce the legal exposure for your business and you personally.
We recently witnessed a fine of millions of shekels and class actions of hundreds of millions of shekels that one of the huge insurance companies had to deal with due to a computer hack of the company’s computers resulting in the exposure of their personal information and that of their policy holders.
Avoiding Other Risks
There is more than a legal risk when a database is hacked. The harm to the operation of a business is also at risk. Trade secrets could be exposed. And your company’s competitors could get a hold of your lists of suppliers and prices. Your relationship with companies you may be working with from abroad could be harmed due European or American requirements to maintain cyber defenses in the business. And of course, there could be severe damage to the public’s trust in your company. Information hacks have caused company shutdowns and ultimately huge expenses to recover information that has disappeared.
Complying with the legal requirements for operating a database will help protect you, your customers and/or clients and significantly reduce your business’s exposure to the resulting problems from a hack.
We are here to help you understand the regulations and process your business’s registration. Contact, me, Aviram Goldstein (from the Hait Family Law business department) at email@example.com