Cybersecurity, a major concern

by | Nov 9, 2022

Cybersecurity

For several years, cyberattacks have been on the rise in France. We estimate an increase of +400 % in cyber threats since 2020. This is also a risk that had already been mentioned by the ANSI (National Agency for the Security of Information Systems) a few years ago. , which predicted an increase in the threat over the next few years.

Although cyberattacks initially targeted companies, they increasingly concern medical establishments and local authorities. How can this explosion of cyberattacks be explained? What is cybersecurity and what is its role?

What is cybersecurity?

The main objective of cybersecurity is to protect computer systems, networks and programs against digital attacks. Very often, these cyberattacks aim to try to access sensitive information in order to modify or destroy it or to use it in order to profit from it, most of the time financially.

Cybersecurity, also called computer security or information systems security, is divided into several categories:
network security,
application security,
information security,
operational security.

The most widespread cyberattacks aim to collect information in order to reuse it in different ways. There are different types of cyber threats such as: virus, Trojan horse, Spyware, Ransomware, Adware or Botnet. However, in recent years, we have discovered 3 new cyber threats that are increasingly used:
Dridex Malware. It is a Banking Trojan that infects systems by sending phishing emails. By recovering connection data, bank details or personal data, cybercriminals can thus carry out dishonest transactions.
Romance scams. These scams aim to set up scams on chat rooms, apps or dating sites. By taking advantage of the vulnerability of the victims, the hackers recover personal data which they will then use for criminal purposes.
Emotet Malware. This Trojan allows data to be stolen by taking advantage of an insecure password.

Law and cybersecurity, consult a lawyer specializing in computer law in Paris

Cybersecurity law concerns all the risks and all voluntary threats that are of human origin and that can harm the assets of the company. Faced with a phenomenon on an increasingly large scale, a company may regularly have to call on a lawyer to protect itself from cyberattacks and to defend its interests in a case in which it could have been a victim or implicated.

French and European law establishes a clear and precise legal framework which requires the implementation of strict security measures. Any company is required to meet its obligations at the risk of exposing itself to heavy penalties. Indeed, in the event that a cyberattack would have been made possible by the fact that the company did not respect its obligations in terms of security and confidentiality, the company would then expose itself to heavy financial penalties that could be imposed by the CNIL (National Commission for Computing and Liberties).

In order to comply with these personal data protection regulations, companies can be accompanied by a cybersecurity lawyer. The specialized lawyer can thus accompany his client in the drafting of a contractual document and in the formalities essential to compliance with legal obligations. The lawyer specializing in cybersecurity provides advice on the protection and security solutions to be put in place. He can ensure the defense of the rights of his client in the event of a dispute.

Cybersecurity: why is it essential?

Putting in place measures that effectively combat the cyber threat is increasingly complicated today. Indeed, digital evolution is constant and hackers are well informed of these transformations and know how to be always more innovative.

Businesses need to be able to be aware of cybersecurity risk. By providing specific monitoring to identify the cyber threats they may face, managers can thus anticipate and react in the best possible way to cyber threats.

For a business, being the victim of a cyberattack can lead to loss of sensitive data, significant financial loss due to theft and to recover stolen data, damage to reputation and in some cases can even lead to the closure of a business. .

A company must therefore ensure that it guarantees the security of online purchases in order to comply with the legislation and in order to build trust with its customers.

What are the fundamentals of cybersecurity?

Cybersecurity has five main objectives: integrity, availability, confidentiality, non-repudiation and authentication. No computer system is infallible despite the implementation of various preventive measures. Thus, to detect a cyber threat, it is necessary to ensure careful monitoring of its own computer protection. In order to prevent IT risk, it is necessary to ensure that:
Properly analyze the risks,
Define a security policy,
Implement a prevention solution,
Frequently evaluate protection solutions,
Constantly update the protection system according to the evolution of
risks.

Cybersecurity regulations: what rules for companies?

Companies are required to comply with a few computer protection and security rules set by French law. Otherwise, their liability may be incurred and the company may be exposed to significant penalties.

Every company is required to protect its data as much as possible. It has the right to be able to use all the solutions useful for its protection against cyberattacks. As an employer, it is also about being able to protect employees with regard to their personal information. A company may need to internalize cybersecurity skills by creating an Information Systems Department (DSI). By entrusting audits to an outside expert, the company can also ensure control and analysis of the processes put in place to obtain optimal and effective cybersecurity.

Data protection is one of the main objectives in implementing solutions to protect against cyberattacks. Thus, each company must make sure to put in place protective measures that guarantee the confidentiality and integrity of data. To guarantee effective protection, a company must therefore ensure that it applies:
Data and connection encryption methods,
Strong authentication measures to detect potential robots,
Data access measures in all circumstances, through secure backups,
With the protection assessment procedures in place, the company must be able to improve its protection at any time in order to comply with flaws and digital developments.

Every company must be able to comply with the rules concerning the GDPR (General Data Protection Regulation). The GDPR defines a personal data breach as "a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed otherwise, or unauthorized access to such data. Therefore, a company must protect the data it has in its system. By increasing its level of security in order to comply with the various requirements of the GDPR, the company avoids any incident that could harm its values and cause it to lose the trust of its customers.

An increase of +400 % in cyberattacks over 2 years: how to explain it?

Since 2020, there has been an explosion of cyberattacks in France. Nearly half of French companies recognize a significant increase in attacks over the past two years. Indeed, in its last activity report, the GIP ACYMA (Groupement d'Intérêt
Public Action against Cybermalveillance), reveals a significant increase in requests for online assistance.

ANSSI (National Agency for the Security of Information Systems) recorded an increase of +37 % in intrusions on computer systems, i.e. just over 1,000 intrusions during the year 2021. 69% of cyberattacks concerned companies, 11% hospitals and 20 % local authorities.

If more than one in two companies were victims of cybercrime during the year 2021, we also note that less than one in two companies invests a financial part of their budget in their cybersecurity. Indeed, few companies reserve part of their budget for the acquisition of network security tools and solutions. Employees are not always sufficiently well aware of the computer danger and potential cyberattacks. It is estimated that approximately 85% of private data breaches are caused by human error which primarily involves opening a fraudulent email.

Following the health crisis of the Covid-19 pandemic, many companies are making a link between the increase in cyberattacks they are facing and the increase in telework by their employees. While in the workplace, certain security solutions put in place by the company made it possible to limit the risk of cyberthreats, in the context of teleworking, companies could not always ensure the security of their data.

Lawyer specializing in IT law

What is NIS Directive 2?

It is a directive which aims to strengthen and standardize the European anti-cyber attack system, and which is intended to replace the NIS 2016 / 1148 directive – State of the adoption procedure here

Data transfer: the necessary assessment of foreign legislation?

by | Jul 9, 2021

Update November 2, 2022

 

The European Data Protection Board (EDPB) provides its framework for compliance with the GDPR in the event of data transfer outside the European Union.

Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with
the EU level of protection of personal data
Version 2.0
Adopted on 18 June 2021.

 https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_fr

It was to be expected that this framework would lighten the contractual formalities for companies (Binding Corporate Rules or standard contractual clauses) in terms of transferring data outside the European Union.

Mais il ressort de ce cadre que l’examen minutieux des législations étrangères reste nécessaire, comme le préconise l’arrêt Schrems II (https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A62018CJ0311), dès qu’une zone territoriale est identifiée comme incertaine par les autorités européennes : https://www.cnil.fr/fr/la-protection-des-donnees-dans-le-monde,

Except to fall within the derogations provided for by article 49 of the GDPR.

Indeed, a sovereign State can in all cases access the data, on specific request: only a general request for access to the data could be contested in terms of principles.

With regard to data transfers to the United States, there is still no adequacy decision by the European Commission, after the so-called Schrems I CJEU judgments of October 6, 2015 (C-362/14) (invalidation of the Safe Harbour) and Schrems II of July 16, 2020 (C-311/18) (invalidation of the Privacy Shield). US legislation indeed reflects a conception of privacy centered on the protection of American citizens, not including foreigners, which is not the universalist one of the European Union.

The 4th Amendment to the United States Constitution provides: "The right of citizens to be secure in their person, domicile, papers and effects against search and seizure without reason shall not be violated nor shall it be issued no warrant except on serious presumption, corroborated by oath or solemn declaration and describing with precision the place to be searched and the persons or things to be seized. »

Despite efforts at reconciliation (cf. Joe Biden's recent executive order of October 7, 2022 clearly providing for recourse to a delegate of the executive power and even to an independent court but whose opinions are not enforceable), the legislation US still provides for mass surveillance and the lack of effective remedies with regard to the rights of data subjects.

It is therefore first and foremost up to the data exporter, in a perilous exercise of evaluation, to check foreign legislation. The Committee provides a list of data sources in Annex III of its recommendations.

The new Standard Contractual Clauses (“SCC”) (adopted by the European Commission on June 4, 2021 and published on June 7, 2021, which will enter into force on June 27, 2021, https://eur-lex.europa.eu/eli/ dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=fr) do not exempt from this exercise.

The provisional Doctolib decision can give clues on how to secure a data transfer: location and encryption in France, obligation for the European subsidiary to contest the foreign “general” request, insensitive data, short data retention period: https://roquefeuil.avocat.fr/2021/04/transfert-de-donnees-sur-un-cloud.html 

Consult a lawyer specializing in computer law

Data transfer to a foreign cloud: the Doctolib decision

by | May 12, 2021

CE, ord. ref., March 12, 2021, Doctolib, req. No. 450163 – Interim interim decision

In its Doctolib decision, the Council of State recognizes the incompatibility of American law with the protection of personal data in the European Union

Concerning the United States, the Schrems II judgment (CJEU July 16, 2020, case C-311/18) invalidated the Privacy Shield, equivalent to an adequacy decision, which allowed companies submitting to it to export personal data to the United States. American law authorizes public authorities to access personal data without providing the persons concerned with effective remedies.

The Doctolib company, which offers an online medical appointment service, hosts its data on the servers of a subsidiary of Amazon Web Services (AWS), a company incorporated under US law. As part of the vaccination campaign against covid-19, Doctolib has been appointed by the Ministry of Solidarity and Health to manage the related appointments.

The judge in chambers of the Council of State was seized of a request for suspension of this partnership insofar as it would disregard the general regulation on data protection (EU) 2016/679 of April 27, 2016 (RGPD).

The judge rejects that:

AWS Sarl, a Luxembourg subsidiary of AWS Inc., is certified “health data host” (CSP, art. L. 1111-8). The data is hosted in centers located in France and in Germany and there is no provision in the contract for any transfer of data to the United States for technical reasons. Since AWS Sarl is a subsidiary of a US company, it may be subject to an access request by US public authorities, according to the applicants.

Data in question. – The Council of State notes that “the disputed data includes personal identification data and appointment data but no health data on any medical grounds for eligibility for vaccination”, people simply having to justify their eligibility with a sworn statement.

The duration of the conversation. – The data “ are deleted at the end of a period of three months at the latest from the date of making an appointment, each person concerned having created an account on the platform for the purposes of vaccination can delete it directly online”.

Request for access by US public authorities. – In order to secure their relations, it is stipulated in the contract thatAWS will have to contest “any request that is general or does not comply with European regulations ". This measure is accompanied by a "device for securing data hosted by the company AWS through a encryption procedure based on a trusted third party located in France in order to prevent the reading of the data by third parties”.

> the level of protection thus put in place by the parties “cannot be regarded as manifestly insufficient with regard to the risk of violation of the GDPR”.

 

The scope of the decision is relative in that it is a provisional interim decision which penalizes the “manifestly unlawful” and which could therefore be corrected. To be continued.

 
V.also
CNIL, delib. n° 2020-044 of Apr. 20, 2020 and press release of Oct. 14, 2020
CE, ord. ref., 13 Oct. 2020, n° 444937
 
 
en_GBEnglish
en_GBEnglish fr_FRFrench de_DE_formalGerman es_ESSpanish pt_PTPortuguese it_ITItalian