Maître Garance Mathias, founding lawyer at Mathias Avocats, presents a non-exhaustive list of legal obligations in terms of cybersecurity.
And they are many!
Regardless of the sector of activity it operates in, public or private companies are subject to rules defined by the national or European legislator as well as regulatory powers. These rules also emanate from competent authorities in order to accompany businesses, notably by means of information, advice, awareness-raising and training, but by also monitoring the application of the texts, such as, for example, the National Commission for the Freedom of Information (CNIL) or the National Agency for the Security of Information Systems (Anssi). The common feature of these regulations is that they require a company to define, implement and maintain appropriate organizational, legal and technical measures in its current state. Ultimately, these measures will also allow the company to constitute, preserve and safeguard admissible evidence before competent authorities in order to defend their rights. Here is a non-exhaustive list of the various regulations that a company must consider in its daily operations, both internally and externally.
The protection of personal data
Firstly, the company is subject to an obligation to protect personal data in accordance with the “Information technology and Freedom” law. Considering the application of the General Data Protection Regulation (GDPR) of May 25, 2018, companies must already be anticipating the implementation of a governance of compliance, which could be managed by an assigned Data Protection (DPO) delegate. The objective is that the company should be able to demonstrate compliance of the processes it implements with regards to the GDPR. In this context, any company will need to map its processing operations, locate data storage locations (server location and back-up locations), identify data flows (distinguishing between intra-group and extra-group flows). In case of recourse to a provider, a contract is an indispensable tool. This should include security measures put in place, management of security incidents and data breaches, arrangements for collaboration between the parties in the framework of the impact assessment … Finally, it should be noted that providers of publicly available electronic communications services are already subject to the obligation to notify violations of personal data to the CNIL pursuant to Article 34bis of the “Information Technology and Freedom ” law.
Operators of Vital Importance
Moreover, the company is subject to obligations arising from texts defining a high level of security. Operators of Vital Importance (OVI) are subject to specific obligations regarding the protection of their information systems. In particular, they must notify the Anssi of any security incidents, under the Military Programming Act (MPA). In addition, providers participating in the security or operation of OVI information systems are contractually subjected to the obligations set out in the MPA. It should be borne in mind that the so-called ‘NIS’ Directive of 6 July 2016, which should be transposed by 9 May 2018 at the latest, will notably impose upon digital service providers (providers of on-line marketplaces, on-line search engines and providers of cloud services) to secure their information systems and infrastructures, to manage incidents …
Employees
With regard to employees, the employer must ensure their health and safety. In this context, it must put in place preventative measures, particularly through training and awareness. Modalities for the use of computer and telecommunication facilities made available to employees must be supervised without disregarding employee’s rights. Employee monitoring devices are subject to the same requirements. The company will be required to create an information technology charter. The latter will have a disciplinary impact on employees as is should being included annexed to internal company rules. In addition, Act No. 2016-1691 of 9 December 2016, known as the “Sapin II” law, requires companies to define a reporting procedure which should be made available to all employees including external and casual staff. The latter must allow users to internally trace various breaches defined by law.
Business secrecy
Particular attention should be paid to the Directive on Business secrecy of 8 June 2016, which should be transposed by June 2018. The purpose of this Directive is to protect business information as soon as it becomes secret, has commercial value because of its secrecy and has been the subject to reasonable provisions designed to keep it secret. The application of business secrecy still requires some clarification, notably with regards to the nature of the reasonable provisions. However, companies will have every incentive to take measures to ensure the secrecy of their information and to be able to identify any violation of this secret as well as its unauthorized use (encryption, marking of information …). The use of enhanced confidentiality clauses in both employment contracts and service contracts can only be encouraged.
Intellectual property
A policy for the management and valuation of intangible assets linked to intellectual property rights (brand portfolio, licenses, databases) must be carried out by business management. It is highly recommended that companies ensure the ownership of the intellectual property rights of the tools they use or make available to third parties. For example, a mapping of the licenses must be carried out in order to anticipate license audits.To conclude, the company not only has obligations, but also rights. Thus, the emergence of a corporate culture integrating the protection of personal data and, more generally, of the company’s assets implies the implementation of true governance. The latter is all the more important as breaches of the aforementioned regulations may be penalized on a civil, criminal and administrative level. By way of illustration, breaches of the RGDP may be sanctioned by fines of up to 20 million euros. Differentiated awareness of the various legal issues (intellectual property, security, personal data, etc.) by each key player (governing bodies, collaborators) plays a vital role.