Israel Hayom | Officials: Peres possibly violated censorship laws

Israel Hayom had an interesting article regarding President Shimon Peres' recent statements opposing a unilateral Israeli attack on Iraninan nuclear facilities. The relevant part for me is the following:

Peres said no Israeli military action will be undertaken in Iran before presidential elections in the U.S. in November. According to government officials, aside from the public debate on the matter, Peres' remark was a possible severe violation of the censorship law as well as a violation of a law against exposing operational information to an enemy.

As far as I can tell, the Censorship Law refers to the Defence (Emergency) Regulations published during the British Mandate in 1945. I did not see what part of the censorship provisions the President may have violated. Most of the violations in those Regulations stem from a direct contravention of a censorship order.

However, Article 4 of the Penal Law- 1977 covers espionage and may pertain to this situation.

Delivery of information to enemy

111. If a person knowingly delivered information to or for the enemy, then he is liable to ten years imprisonment; if the information is likely to benefit the enemy, then he is liable to fifteen years imprisonment; if he thereby intended to injure national security, then he is liable to life imprisonment; if by negligence he caused to be delivered to or for the enemy information likely to benefit him, then he is liable to three years imprisonment.

Espionage

112. (a)  If a person delivered information and intended to injure national security, then he is liable to fifteen years imprisonment.

(b)  If a person obtained, collected, prepared, recorded or kept information and thereby intended to injure national security, then he is liable to ten years imprisonment.

Aggravated espionage

113. (a)  Repealed

(b)  If a person delivered secret information, without being authorized to do so and thereby intended to injure national security, then he is liable to life imprisonment.

(c)  If a person obtained, collected, prepared, recorded or kept secret information without being authorized to do so, then he is liable to seven years imprisonment; if he thereby intended to injure national security, then he is liable to fifteen years imprisonment.

(d)  (1) In this section, "secret information" – information which national security requires that it be kept secret, or information that relates to a category of subjects which the Government – by order published in Reshumot with approval by the Knesset Foreign Affairs and Defense Committee – declared to be secret subjects;

(2) information the contents, form, ways of keeping it, its source and the circumstances under which it was obtained indicate that national security requires it to be kept secret, unless it was proven differently.

(3) The provisions of paragraphs (1) and (2) shall also apply to the matter of section 113A.

(e)  It shall be a good defense for a person charged with an offense under subsection (c) that he did nothing unlawful to obtain information that constitutes secret information, and that he obtained, collected, prepared, recorded or kept it in good faith and for a reasonable purpose.

Secret information

113A. If a person passes secret information without being qualified to do so, then he shall be liable to fifteen years imprisonment.

Some of the sections of the law have an "intent" requirement which is probably lacking in this case. Regardless, I can't imagine the government pursuing criminal charges against the President- although the media would love it.

For an article about the role of the government censor in Israel, see here.

For an article about the Defence (Emergency) Regulations, see here.

New Draft Regulations for the Protection of Databases

Trade Secret Theft, Corporate Espionage or anything else you want to call it has been getting a lot of press recently. (See here and here.) C. Frank Figliuzzi, the head of the U.S. Federal Bureau of Investigation’s counterintelligence division, testified that based on the FBI data, "economic espionage losses to the American economy total more than $13 billion." See article here. The Center for Responsible Enterprise and Trade (CREATE) recently issued a white paper detailing some of the problems and possible solutions to trade secret theft.

There are a number of weak links in corporations that allow bad actors to steal company secrets: unencrypted networks and databases, hack attacks, and theft of data by employees or contractors. Some companies refuse to completely outsource operations due to the threat of data theft by companies located in the home country of the outsourced plant, so they are choosing captive sourcing instead. In captive sourcing the parent company builds and operates the plant in another jurisdiction but they are still subject to threat of competitors hiring their employees away and with them, valuable trade secrets. Many countries do not have robust legislation making trade secret theft illegal, giving companies little recourse after being victimized. CREATE has a number of suggestions for companies to help prevent trade secret theft. They suggest that companies:

1. Conduct a strategic assessment of the company's trade secrets.
2. Undertake appropriate pre-contractual due diligence.
3. Employ strong contractual protections.
4. Utilize appropriate operational and security measures.
5. Take appropriate action after a business relationship has ended.

Some of the specific suggestions include clearly identifying in contracts what information the company deems confidential and requiring the counterparty to restrict, monitor, and record employee access to sensitive information, and specifying that the company has a right to audit the counterparty to measure compliance. Also, depending on the country it may be important to have a forum selection clause identifying a friendly forum for any IP or trade secret disputes. Because some countries do not recognize the concept of a third-party beneficiary, companies should also consider entering into confidentiality agreements with key employees of the counterparty. If subcontractors will be used, the company might want to retain approval rights and ensure that any confidentiality agreements flow down to the subcontractor and any violation is the responsibility of the contractor. Other security measures such as monitored physical access to confidential data, encrypted or expiring files, separate computer systems for sensitive information, keeping certain systems disconnected from the internet, and instituting computer use policies to allow the monitoring of data transmissions.


It is interesting to note that in its second version of draft regulations regarding the protection of privacy, ILITA, the Israeli Law, Information and Technology Authority (Israel’s data protection authority) recommended many of the same security measures regarding the protection of sensitive information stored in databases. If formally implemented, the regulations will require companies to:

1. institute a data security protocol that describes the database structure, access privileges, security measures, provisions for periodic audits and what access privileges subcontractors have been granted.
2. ensure that its systems are kept in a secure location which prevents access for unauthorized users; Owners of medium and high security databases must document all entries and departures from database system facilities as well as all equipment that is taken into or out of those sites;
3. conduct a security audit at least once every two years to certify compliance;
4. tightly control Employee access to data and passwords must be changed immediately upon termination of an employee;
5. conduct periodic training sessions for employees, commensurate with the scope of their duties, on database settings, security procedures, and the data security provisions under the law;
6. implement a mechanism for automatic documentation that will enable inspection of all login attempts to the system including: username, date and time, scope of access, and components accessed, to be kept for 24 months;
7. implement automatic documentation of events that raise suspicions of data breaches or unauthorized access;
8. report serious security events to the Registrar of Databases as well as any steps taken in remediation;
9. implement security measures that take into account the special vulnerabilities of mobile devices;
10. disconnect the database system from the Internet or other public network unless appropriate measures are taken to protect against unauthorized intrusion or malware that can cause damage or disruption to the system;
11. encrypt the transfer of information over a wireless network, public network or the Internet using conventional encryption methods;
12. segregate systems that access the database from other systems used by the database owner;
13. explicitly list in a contract with the subcontractor:

a. The data and systems that the subcontractor may access and for what purpose;

b. The types of activities the subcontractor may perform on the data;

c. The term of the relationship with the subcontractor and the subcontractor’s requirement to return and destroy any data upon termination;

d. The subcontractor’s data security obligations under these Regulations;

e. That the subcontractor’s employees must sign non-disclosure agreements to protect the security of the data;

f. The subcontractor’s obligation to include all of the relevant provisions of the Regulations in any contract with any subcontractor of his;

g. The subcontractor’s obligation to report to the database owner, at least once a year, of his execution of his obligations under these Regulations and to inform the owner of any data security event.