# Privacy Incident Response Israel | Authority Report Within 72 Hours

> Professional response to data security incidents / data breach / ransomware / human error. Authority notification within 72 hours, data-subject communications, public statement drafting, post-mortem and lessons learned. DPO support during the first 24-72 hours.

**Canonical:** https://dpoisrael.com/en/services/incident-response/  
**Locale:** en-IL

---
Active incident? Call now — not a form.

# Privacy Incident  
Response.

**Data breach**, **ransomware**, **phishing**, human error, or an Authority inquiry — every privacy incident requires coordinated response within hours. **DPO** support during the first 24-72 hours, Authority notification drafting, data-subject communications, and a formal post-mortem.

## Incident Response — how it works

- **Response time:** 24/7 for retainer clients; 2h for new inquiries
- **Notification deadline:** Within 72 hours to Authority (recommended)
- **Emergency rate:** 450-850 ILS per hour
- **Incident pack:** 8,000-25,000 ILS by scope
- **Covers:** Breach, ransomware, phishing, human error, Authority inquiry
- **Deliverables:** Authority notification, subject communications, post-mortem
- **In DPO as a Service:** 1-2 incidents/year in Professional tier
- **Avg handling time:** 7-30 days from incident to formal closure

## The first 72 hours

Hours 0-2

### Initial triage

What happened? When? What data is involved? How many subjects? Is the action ongoing? Is there immediate risk? Setting priority and freezing state.

Hours 2-6

### Notification obligation assessment

Is Authority notification required under Amendment 13? Notification to data subjects? Under GDPR? Sector-specific regulation? Document decisions.

Hours 6-24

### Information gathering & initial post-mortem

Work with IT / CISO / forensics — what was the breach scope, which databases, which subjects, which systems. Organized documentation.

Hours 24-72

### Authority notification & message drafting

Formal notification to the Israeli Privacy Authority. Drafting messages for data subjects, management, customers, and media if required. Cross-department coordination.

Hours 72-7 days

### Response and deepening

Handle subject inquiries, Authority queries, media. Expand investigation, find more affected records, deploy mitigations.

Hours 7-30 days

### Formal post-mortem

Internal post-mortem report, fix list, required investments. Presentation to management and audit committee. Update policies.

## Eight incident types we handle

### Data breach

Unauthorized access, exposed database, spreadsheet sent to wrong address. Most common type.

### Ransomware

Forced encryption, ransom demand. Judgment call: pay or not, did the data also exfiltrate (Double extortion).

### Phishing success

Employee clicked a link, gave credentials, external actors get in. Scope assessment, access blocking, password reset.

### Human error

Email to wrong distribution list, unencrypted document batch, accidental site publication. Usually less severe — but still requires assessment.

### Internal unauthorized access

Employee accessed a database they shouldn’t have. Question: intent? Misuse? How was it discovered?

### Vendor breach

Your vendor was hit, and your data leaked. **Still your duty** to notify the Authority and data subjects — not theirs.

### Authority inquiry

Authority opened an investigation, audit, or information request. Also an "incident" requiring professional coordination and precise drafting.

### Lawsuit / legal threat

Data subject threatens lawsuit, contacts a lawyer, files a complaint with the Authority. Requires legal-privacy-PR coordination.

## What goes in the Authority notification

| Field | Detail |
| --- | --- |
| Incident description | When, where, how discovered, who is involved |
| Scope | How many subjects, what data types, whether special-category data |
| Processing purposes | Why data was originally collected, on what legal basis |
| Security measures in place | What was active, and why it didn’t prevent the incident |
| Mitigations taken | What you did to stop the incident and prevent further harm |
| Future plan | What change will prevent the next occurrence (controls, policies, training) |
| Communications to subjects | Whether, when, and how you notified affected subjects |
| DPO contact / official point of contact | Whom the Authority can reach for clarifications |

## Frequent questions about incident response

### When is Authority notification mandatory?

Under Amendment 13, notify the Israeli Privacy Authority of an incident with "significant" privacy impact. Criteria: number of affected, sensitivity, likelihood of harm. Conservative recommendation — notify even when in doubt. Ignoring an incident that later surfaces is worse than over-notifying.

### What is the timeline?

Amendment 13 doesn’t specify strict 72 hours like GDPR, but the Authority expects notification **without undue delay**. Recommendation: initial notification within 72 hours (even if not complete), with updates afterward. Submitted through the Authority’s online system.

### What if investigation is still ongoing?

It’s correct to file a "preliminary" report stating investigation is ongoing, and update the Authority within 7-14 days. Better partial-timely than complete-late.

### Must we notify data subjects?

Depends on risk severity. If subjects face "real" risk (identity theft, financial harm, substantial privacy impact) — must notify. If risk is low or mitigated by measures (encryption, password reset) — possibly not. Decision is always documented.

### Do you offer 24/7 availability?

During an emergency — yes. Every DPO as a Service client gets an emergency phone reached 24/7 by the Chief DPO. Most incidents handled within hours, including nights, weekends, and holidays.

### We are not your client — can we get urgent help?

Yes. A sudden security incident is one of the most common ways clients start with us. [Contact us directly](/en/contact), we respond within 2 hours, and build a response plan within 24 hours.

### How much does it cost?

Emergency rate: 450-850 ILS per hour (depending on urgency and time of day). Single-incident pack: 8,000-25,000 ILS by scope. Active [DPO as a Service](/en/services/dpo) clients — 1-2 incidents per year included in the retainer.

### What to do right now if I have an incident?

1) Take notes — write what you know. 2) **Do not delete logs.** 3) Freeze the affected account/system if still active. 4) Contact us / a DPO / a lawyer. 5) Don’t talk to media until you have an approved statement.

## Have an active incident?

Don’t wait until morning. [Contact us now](/en/contact) — I respond within 2 hours, including nights and holidays.

[Urgent contact](/en/contact)