It’s a fact: data hacking and computer fraud are in a permanent evolution. The increased number of attacks linked to cyber terrorism has been making headlines these past few years. In some instances, such attacks have had disastrous consequences for the targeted companies, from both a financial and reputation perspective.
For example, in May 2014 eBay had personal data from over 233 million clients stolen. More recently, over two million of personal data information belonging to the subscribers of the national broadcaster, TF1’s were hacked.
Cyber-threats are capable of silently and efficiently infecting on an extremely large scale without distinction as to the branch of activity, the size of the company or location.
However, the French data protection act (the “Act”) requires that companies which process personal data “ensure the security of the data and in particular prevent them from being distorted, damaged or accessed by unauthorized third parties” (cf. article 34) or they could face sanctions up to 5 years in prison and a 300.000 euros fine (1.500.000 euros for companies). This sanction can be further increased by damages payable to the victims of such leaked and thus may be the subject of class action suits which are now authorized in France. These attacks are all the more problematic given that insurance companies are increasingly refusing cover cyber-attack risks in their civil liability coverage.
Faced with the ingenuity of the hackers and the fact that security measures become obsolete even before they are implemented, how can companies respect the obligations relating to data protection and avoid the sanctions?
The Act requires data controllers to take all “necessary measures” and accordingly must implement all adapted technical and organizational measures in order to guarantee the security, the integrity, and the confidentiality of the data. Data controllers will be exonerated from any liability to the extent that they have properly implemented such measures.
Unfortunately, there are no lists of which technical measures should be put in place in general or in respect of any particular data. In any event, in light of the rapidity with which the technology is evolving, such a list would soon be irrelevant.
As a result, in order to avoid sanctions, the data controller will have to:
- Always keep up to date with the new technology and the technical measures that can counter cyber attacks;
- Implement these technical measures if they are adapted to the processing in question;
- Follow the CNIL recommendations regarding security;
- Raise awareness at all levels throughout the company with respect to issues linked to the protection of personal data (56% of French companies that suffered attacks revealed that they were perpetrated by someone in-house); and
- manage employees while still respecting their right to privacy.
It is also important to underline the fact that the data controller could still be held liable for the pirating of data managed by a subcontractor (data processor), such as a hosting service provider. Accordingly, it is of the utmost importance to contractually require that every subcontractor implement strict security measures (but in any event, no less stringent than those internally implemented by data controller).
A vast majority of subcontractors being based abroad or using adhesion contracts; such process can prove to be difficult but remains absolutely necessary.