May – June 2022
Towards a reinforcement of cyberlaw
Towards a reinforcement of cyberlaw
During the health crisis, the number of cyber-attacks in companies has been multiplied by 4 in France. This explosion of cybercrime has revealed the need to promptly adapt the normative framework in terms of cybersecurity.
However, the normative framework of cybercrime remains scattered among several texts touching different areas of law. For example, criminal law provides the tools for the repression of cyberattackers, intellectual property law offers tools to fight against the consequences of thefts and usurpations of a company’s data, and labor law can allow the implementation of internal prevention systems within companies.
It was therefore necessary to centralize all these rules in order to clarify and harmonize the legal instruments to fight against cybercrime. In this context, on June 2, 2022, the Cybersecurity Code will be published by DALLOZ, making the legal response to the cyber threat more accessible.
This restructuring of the normative framework is combined with a consolidation movement that was recently illustrated through the adoption of the law n° 2022-309 of March 3, 2022 for the implementation of a cybersecurity certification.
More specifically, the protection of companies that are victims of cyber attacks has often been discussed, but these companies can also process personal data of consumers, data that can be stolen during a cyber attack.
Until now, consumers had little or no way to fight against the indirect distraction of their own data in the event of a cyber attack by one of the companies with which they agree to share personal data in exchange for the goods and services it offers.
Article 32 of the RGPD specifies that the controller must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, but this text does not provide consumers with tools to know the degree of protection deployed by the company to ensure the inviolability of their own data.
This is why, on March 3, 2022, the so-called “cyberscore” law was adopted, which imposes new cybersecurity obligations on the most widely used digital platforms, instant messaging and video conferencing sites.
These operators will have to inform Internet users, by means of a visual “cyberscore”, of the security of their site or service and of the security and location of the data they host themselves or their service providers (especially in the cloud).
The cyberscore information will be taken from a security audit that they will have to perform. The new law stipulates that this audit will be carried out by service providers qualified by the French National Agency for Information Systems Security (ANSSI).
The system is scheduled to come into effect on October 1, 2023. If the cyber score visual allows users of digital platforms to change their habits, as was the case with the introduction of the nutri-score for food products, this can only lead the various players to strengthen the security of digital spaces.
In commercial matters, these practices will be extended to relations between commercial companies, which will lead to the inclusion of cybersecurity clauses in contracts. There are already warranty clauses in case of security breaches to oblige companies to be more vigilant.
The firm Cazeau, in collaboration with the Bar Association of the Balearic Islands, is organizing a morning devoted to the legal issues of cybercrime. This seminar will be held in Palma de Mallorca on September 29, 2022 and will involve both legal professionals and cyber security specialists.
Alexia Duran Froix