In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
Answer ... No rules are imposed on publishers in terms of communicating software vulnerabilities. Systems manufacturers and application editors adopt different strategies concerning security vulnerabilities.
However, the following incidents must be reported.
Health information security incidents: Health centres must report to the regional health agencies serious security incidents that affect their information systems – that is, events that generate exceptional situations, and in particular incidents:
- with potential or proven consequences for the safety of healthcare;
- with consequences for health data confidentiality or integrity; or
- that affect the normal functioning of the institution, organisation or service concerned.
Personal data breaches to the data protection supervisory authority (CNIL): Under the General Data Protection Regulation, the data controller must notify a breach to the CNIL if it entails a risk to the rights and freedoms of the data subjects, and also to the data subjects in case of high risk. Data processors must notify data controllers of any personal data breach as soon as possible after becoming aware of it.
Security incidents to the national cybersecurity agency (ANSSI): Operators of vital importance, essential service operators and certain digital service providers must inform either the prime minister or the national cybersecurity agency (ANSSI) of incidents that affect the operation or security of their information systems (see question 1.3).
Incidents to the Banque de France/Prudential Supervision and Resolution Authority (ACPR): Payment service providers must inform the financial authorities of any major operational incident arising from inadequate or failed processes, persons and systems or force majeure events that affect the integrity, availability, confidentiality, authenticity and/or continuity of payment services.
What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
Answer ... Health information security incidents: Serious security incidents must be reported to the regional health agencies without delay by completing the dedicated form online.
Personal data breaches to the CNIL: Personal data breaches must be notified to CNIL by teleservice by filling in a standard form within 72 hours of the data controller becoming aware of the breach. Justification is required where notification does not take place within 72 hours.
Moreover, where a personal data breach will likely present a high risk to the rights and freedoms of data subjects, the data controller must also notify the data subjects as soon as possible, except where:
- personal data is protected by appropriate technical and organisational measures and will thus be incomprehensible to anyone who is not authorised to access it;
- the controller has taken further measures to ensure that the high risk is no longer likely to materialise; and
- communication of the breach to the data subjects would require disproportionate efforts.
Security incidents to ANSSI: These must be reported via a form accessible on the ANSSI’s website and sent via a medium adapted to the sensitivity of the reported information, without undue delay.
Incidents to the Banque de France/ACPR: These must be reported based on a notification model for payment service providers in accordance with Annex 1 of the EBA/GL/2017/10 guidelines. This document must be submitted within four hours of the incident through a dedicated website that connects to the Banque de France.
Answer ... Only notifications to the various authorities listed in question 5.2 are mandatory in the event of a security incident. Although poor management of a security incident can constitute grounds for liability on the part of the company or its officers, no specific steps are required other than these various notifications.
However, the notification deadlines are sometimes very short; it is therefore necessary to establish internal procedures that make it possible to comply with them, while at the same time providing for measures to safeguard the interests of the company and the data subjects.
This type of procedure generally involves the following steps:
- incident reporting;
- establishment of a dedicated team and a crisis unit;
- analysis of the incident and implementation of urgent measures;
- qualification of the incident and notification of the competent authorities and, where appropriate, insurers;
- legal and technical precautionary measures;
- initiation of litigation or pre-litigation actions;
- implementation of appropriate corrective technical solutions; and
- documentation of the incident.
Answer ... Corporate officers and directors have no direct legal duties; but as representatives of the company, they must comply with the requirements as set out in question 5.3.
Answer ... In 2019 the financial French regulator (Autorité des marchés financiers) conducted short thematic controls entitled “SPOT” (Supervision of Operational and Thematic Practices).
Four of the six asset management companies which were subject to the controls had specific insurance against cyber risks, taken out by the group to which they belonged.
However, the ceiling on guarantees was not proportionate to the amounts of assets under management, which varied from €10 million to €400 million.