Update January 2023: The LOMPI
Court of Cassation ruling on territorial jurisdiction (STAD attack by DDOS)
Cybersecurity
For several years, cyberattacks have been on the rise in France. We estimate an increase of +400 % in cyber threats since 2020. This is also a risk that had already been mentioned by the ANSI (National Agency for the Security of Information Systems) a few years ago. , which predicted an increase in the threat over the next few years.
Although cyberattacks initially targeted companies, they increasingly concern medical establishments and local authorities. How can this explosion of cyberattacks be explained? What is cybersecurity and what is its role?
What is cybersecurity?
The main objective of cybersecurity is to protect computer systems, networks and programs against digital attacks. Very often, these cyberattacks aim to try to access sensitive information in order to modify or destroy it or to use it in order to profit from it, most of the time financially.
Cybersecurity, also called computer security or information systems security, is divided into several categories:
network security,
application security,
information security,
operational security.
The most widespread cyberattacks aim to collect information in order to reuse it in different ways. There are different types of cyber threats such as: virus, Trojan horse, Spyware, Ransomware, Adware or Botnet. However, in recent years, we have discovered 3 new cyber threats that are increasingly used:
Dridex Malware. It is a Banking Trojan that infects systems by sending phishing emails. By recovering connection data, bank details or personal data, cybercriminals can thus carry out dishonest transactions.
Romance scams. These scams aim to set up scams on chat rooms, apps or dating sites. By taking advantage of the vulnerability of the victims, the hackers recover personal data which they will then use for criminal purposes.
Emotet Malware. This Trojan allows data to be stolen by taking advantage of an insecure password.
Law and cybersecurity, consult a lawyer specializing in computer law in Paris
Cybersecurity law concerns all the risks and all voluntary threats that are of human origin and that can harm the assets of the company. Faced with a phenomenon on an increasingly large scale, a company may regularly have to call on a lawyer to protect itself from cyberattacks and to defend its interests in a case in which it could have been a victim or implicated.
French and European law establishes a clear and precise legal framework which requires the implementation of strict security measures. Any company is required to meet its obligations at the risk of exposing itself to heavy penalties. Indeed, in the event that a cyberattack would have been made possible by the fact that the company did not respect its obligations in terms of security and confidentiality, the company would then expose itself to heavy financial penalties that could be imposed by the CNIL (National Commission for Computing and Liberties).
In order to comply with these personal data protection regulations, companies can be accompanied by a cybersecurity lawyer. The specialized lawyer can thus accompany his client in the drafting of a contractual document and in the formalities essential to compliance with legal obligations. The lawyer specializing in cybersecurity provides advice on the protection and security solutions to be put in place. He can ensure the defense of the rights of his client in the event of a dispute.
Cybersecurity: why is it essential?
Putting in place measures that effectively combat the cyber threat is increasingly complicated today. Indeed, digital evolution is constant and hackers are well informed of these transformations and know how to be always more innovative.
Businesses need to be able to be aware of cybersecurity risk. By providing specific monitoring to identify the cyber threats they may face, managers can thus anticipate and react in the best possible way to cyber threats.
For a business, being the victim of a cyberattack can lead to loss of sensitive data, significant financial loss due to theft and to recover stolen data, damage to reputation and in some cases can even lead to the closure of a business. .
A company must therefore ensure that it guarantees the security of online purchases in order to comply with the legislation and in order to build trust with its customers.
What are the fundamentals of cybersecurity?
Cybersecurity has five main objectives: integrity, availability, confidentiality, non-repudiation and authentication. No computer system is infallible despite the implementation of various preventive measures. Thus, to detect a cyber threat, it is necessary to ensure careful monitoring of its own computer protection. In order to prevent IT risk, it is necessary to ensure that:
Properly analyze the risks,
Define a security policy,
Implement a prevention solution,
Frequently evaluate protection solutions,
Constantly update the protection system according to the evolution of
risks.
Cybersecurity regulations: what rules for companies?
Companies are required to comply with a few computer protection and security rules set by French law. Otherwise, their liability may be incurred and the company may be exposed to significant penalties.
Every company is required to protect its data as much as possible. It has the right to be able to use all the solutions useful for its protection against cyberattacks. As an employer, it is also about being able to protect employees with regard to their personal information. A company may need to internalize cybersecurity skills by creating an Information Systems Department (DSI). By entrusting audits to an outside expert, the company can also ensure control and analysis of the processes put in place to obtain optimal and effective cybersecurity.
Data protection is one of the main objectives in implementing solutions to protect against cyberattacks. Thus, each company must make sure to put in place protective measures that guarantee the confidentiality and integrity of data. To guarantee effective protection, a company must therefore ensure that it applies:
Data and connection encryption methods,
Strong authentication measures to detect potential robots,
Data access measures in all circumstances, through secure backups,
With the protection assessment procedures in place, the company must be able to improve its protection at any time in order to comply with flaws and digital developments.
Every company must be able to comply with the rules concerning the GDPR (General Data Protection Regulation). The GDPR defines a personal data breach as "a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed otherwise, or unauthorized access to such data. Therefore, a company must protect the data it has in its system. By increasing its level of security in order to comply with the various requirements of the GDPR, the company avoids any incident that could harm its values and cause it to lose the trust of its customers.
An increase of +400 % in cyberattacks over 2 years: how to explain it?
Since 2020, there has been an explosion of cyberattacks in France. Nearly half of French companies recognize a significant increase in attacks over the past two years. Indeed, in its last activity report, the GIP ACYMA (Groupement d'Intérêt
Public Action against Cybermalveillance), reveals a significant increase in requests for online assistance.
ANSSI (National Agency for the Security of Information Systems) recorded an increase of +37 % in intrusions on computer systems, i.e. just over 1,000 intrusions during the year 2021. 69% of cyberattacks concerned companies, 11% hospitals and 20 % local authorities.
If more than one in two companies were victims of cybercrime during the year 2021, we also note that less than one in two companies invests a financial part of their budget in their cybersecurity. Indeed, few companies reserve part of their budget for the acquisition of network security tools and solutions. Employees are not always sufficiently well aware of the computer danger and potential cyberattacks. It is estimated that approximately 85% of private data breaches are caused by human error which primarily involves opening a fraudulent email.
Following the health crisis of the Covid-19 pandemic, many companies are making a link between the increase in cyberattacks they are facing and the increase in telework by their employees. While in the workplace, certain security solutions put in place by the company made it possible to limit the risk of cyberthreats, in the context of teleworking, companies could not always ensure the security of their data.
What is NIS Directive 2?
It is a directive which aims to strengthen and standardize the European anti-cyber attack system, and which is intended to replace the NIS 2016 / 1148 directive – State of the adoption procedure here
Law of January 24, 2023 on the orientation and programming of the Ministry of the Interior
With the LOMPI 2023, the legislator wants to strengthen the means to fight cybercrime.
Criminal cases on STAD attacks will undoubtedly be the subject of more sustained attention and better investigations into the origin of the attacks.
The law provides for a budget of 15 billion euros over the next five years, to strengthen the means of fight (recruitment, acquisition of equipment.
We note
- a section on the seizure of digital assets by the judicial authorities (articles 706-154 of the criminal procedure code and L54-10-1 of the monetary and financial code) allowing in particular the seizure of cryptocurrencies; this regulation echoes the PSAN regulation on the approval of cryptocurrency providers;
- the payment of insurance compensation following a cyber ransom request subject to the filing of a prior criminal complaint within 72 hours (article L12-10-1 of the insurance code);
- the penalties are increased to 7 years and a fine of 300,000 euros, with aggravating circumstances in the event of endangering others (cases of cyberattacks on hospitals endangering the lives of patients);
- the administration of darknet platforms is punished (article 323-3-2 of the penal code), with aggravating circumstances of organized gangs;
- STAD attacks are more severely punished (articles 323-1 et seq. of the penal code);
- pseudonymous investigations (Article 230-46 of the Code of Criminal Procedure);
Crim. 20 August 2018, F-P+B, n° 18-84.728,
In this judgment dismissing an appeal that I had brought in the context of a derogatory procedure, the Court takes note of a territorial incompetence, by affirming that referral based on the concurrent national jurisdiction of the Paris tribunal de grande instance for offenses relating to the automated data processing system is the sole prerogative of the public prosecutor, so that it cannot be the act of the civil party, and that the civil party could have presented its observations on the matter.
However no text excludes referral to the tribunal de grande instance of Paris by the civil party, and, in complex cases of indeterminate territorial scope, one might think that the national jurisdiction of the tribunal de grande instance of Paris is precisely to apply.
The judgment seems above all to point to the lack of means of justice at this time, in the summer period, in the fight against cybercrime – Comments Dalloz: ("Breaches of automated data processing systems: details on the jurisdiction of the Parisian justice system") (“ The delicate rise of justice in cybercrime cases »).
In this case, it was a STAD attack (article 323-1 of the criminal code – obstructing the operation of an automated data processing system) by DDOS (computer attack by distributed denial of service) which gave rise to complaint with constitution of civil part. The file was the subject of a dismissal, the investigations having not made it possible to identify the perpetrators. This is the difficulty of these cases.
20 August 2018 - Court of Cassation - Appeal No. 18-84.728 - Criminal Division - Restricted formation - PUBLISHED IN THE BULLETIN - ECLI:FR:CCASS:2018:CR02068