Threat detection and reportingPolicies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
It depends on whether the organisation is defined as an organisation of essential importance or whether the organisation is considered as a data controller or processor.
For organisations of essential importance, rules and procedures are imposed on them by either decree, ordinance or ministerial orders. As such, since 2016, entities operating in the electricity, maritime, finance, ISPs, space, gas, media, nuclear and arms industries shall adopt compulsory security measures, such as detection tools, defensive tools, strong authentication and restricted access protocols.
The same cybersecurity measures have been recommended by the CNIL regarding personal data on data controllers and processors, private or public. The EU General Data Protection Regulation has even provided, under article 32, security requirements that may be expected from data controllers and processors, respectively:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
France has rules requiring organisations to keep records of cyberattacks. As such, pursuant to article 34-bis of the Data Protection Act 1978 (which extends to all data controllers and processors under the EU General Data Protection Regulation) and organisations of essential importance, in accordance with article 22 of the Military Programming Act 2013, ISPs are required to keep records of cyberattacks. Such records are collected by way of audit and must specify how the attack happened, its consequences and the measures taken. The law does not specify for how long these records must be kept.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
Pursuant to article 34-bis of the Data Protection Act of 1978, ISPs must report, without any delay, data breaches to the CNIL. Under the new EU General Data Protection Regulation, this obligation is now borne by every data controller and processor, private or public. According to article 29 Data Protection Working Party Opinion 03/2014 on breach notification, three types of incidents must be reported:
- ‘confidentiality breach’ - where there is an unauthorised or accidental disclosure of, or access to, personal data;
- ‘availability breach’ - where there is an accidental or unauthorised loss of access to, or destruction of, personal data; and
- ‘integrity breach’ - where there is an unauthorised or accidental alteration of personal data.
To facilitate reporting, dedicated forms have been provided online and, in the particular case of personal data, this form can be submitted online.
Regarding organisations of essential importance and in accordance with article 22 of the Military Programming Act 2013, they must report any cybersecurity breach or incident to the ANSSI.
Notification of violation and breach is followed by a report. Information required in reports of cyberthreat depends on the business sector of the organisation considered of essential importance. Regarding personal data, the EU General Data Protection Regulation is more precise on the matter: data controllers and processors must provide precise information on the time of the attack, its nature, personal data affected, remedies applied and the potential consequences of the breach, among others.Timeframes
What is the timeline for reporting to the authorities?
Entities must report without any delay to the CNIL when they concern personal data, and to the ANSSI if the entities affected are qualified as of essential importance. The EU General Data Protection Regulation provides more precision about the timeline, namely that the incident must not be reported later than 72 hours (where feasible) after the entity has become aware of the breach.
To facilitate reporting, dedicated forms have been provided online and, in the particular case of personal data, this form can be submitted online.Reporting
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
According to article 34-bis of the Data Protection Act of 1978 and in the case of a personal data beach, ISPs are compelled to report, without any delay, to customers aggrieved by such breach. This obligation has been extended to all data controllers and processors under the EU General Data Protection Regulation. Such notification may be levied if the CNIL certifies that appropriate measures have been taken to make direct or indirect identification impossible. According to article 29 Data Protection Working Party, in its Guidelines on personal data breach notification for the new regulation, dedicated messages should be used when communicating a breach. These include, among others:
- direct messaging (eg, email, SMS and direct message);
- prominent website banners or notification;
- postal communications; and
- prominent advertisements in print media.