iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A new law is set to take effect in France next month that requires companies to report any cyber incidents to French authorities within 72 hours, or the company in question will lose their chance to receive an insurance payout.
However, the law seems vague on a number of points, which has companies and lawyers alike wondering just how to prepare for the change.
The actual wording of the new part of the criminal code makes insurance payments pursuant to “the filing of a complaint by the victim with the competent authorities no later than seventy-two hours after the victim’s knowledge of the breach”.
However, law firm Orrick noted the vague wording of the law.
“The law is not specific regarding the identity of the ‘competent authorities’ with whom a complaint should be filed,” Orrick’s lawyers noted, “although the impact assessment of the draft law (now adopted) refers to the police and judicial authorities”.
The law also doesn’t address the method of the reporting itself, as there are multiple agencies that such reports can be made to, including “France’s national information system security agency (ANSSI), regional health authority (ARS), and its data protection authority (the CNIL)”.
In fact, according to Orrick, reports can also be made to the General Directorate of Internal Security as a general criminal complaint.
The other matter the wording of the law leaves up in the air is the timing of the reporting.
“According to the law, the 72-hour deadline starts to run from the moment the victim has knowledge of the breach,” Orrick said. “Whether this means knowledge of the criminal nature of the incident, or just that an incident has occurred, is not clear.”
The new law is also a challenge for companies that operate in multiple countries, under multiple legal jurisdictions.
“Such organisations should be clear about whether the insurance policy is subject to the provisions of the French Insurance Code and address the wider implications of an international incident,” Orrick said, “especially regarding seeking an indemnity under the policy”.
The law clearly has the right aim in mind, of ensuring quick and accurate reporting of cyber incidents and data breaches. However, the vague nature of the wording makes compliance a challenge.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
