Feeds

French firms: You want us to compile DATABASES... of our SECRET information?

New law increases cyber attack risks, biz fumes to govt

Businesses in France are being asked to compile a database of commercially sensitive information that will potentially attract increased interest from cyber criminals.

Changes to employment laws in the country will require businesses with more than 50 employees to create a database for worker representatives to be able to access. The database must contain information such as details of business assets, employee salaries and forecasts outlining the strategic direction of the company.

The creation of this database raises a number of regulatory and compliance issues. Above all, it increases the risks faced by companies in relation to the protection of confidential business information and protection against cyber attacks. The volume of such attacks may increase given the economic value of the database contents.

Businesses may need to change their IT policies, alter their ways of working with work council representatives and undertake a review of their overall compliance with French employment laws and of the way they protect confidential business information as a result of the changes.

How do the changes affect businesses?

The reform raises a general issue regarding the protection of confidential business information. Practically, it will be the first time that such a comprehensive central database of confidential information will be created and made available to such a large group of people, many of which may never have accessed such information so easily and had access to such a full picture about a company.

The most worrying part of this change is related to the security of the database. Although the database will be accessible solely to members of work councils, it may be stored on a company's intranet or on a network which could be accessible remotely. For cyber thieves, the database is a potential goldmine and if they are able to gain access to a business's network there is a chance that they will be able to retrieve financially sensitive information.

The communication of this information to work council members may, to some extent, jeopardise the confidential nature of this information. Proposed new EU laws, under the draft Trade Secrets Directive, would further jeopardise the confidentiality of business information because, if accepted in their current form, the acquisition of trade secrets through "the exercise of the right of workers representatives to information and consultation" would be considered to be lawful.

Although French law has specified that work council members shall be bound by a fiduciary duty of confidentiality, this does not provide businesses with preventive enforcement measures or sanctions against indiscreet worker representatives.

Unless otherwise anticipated, companies facing theft or disclosure of confidential business information by employee representatives will have no other choice than to either request court injunctions to stop the disclosure of this confidential information or seek damages.

What is the exact scope of the change to French law?

Changes to French employment laws were contained in a new Act and decree last year and provide additional "co-determinaton rights" to employee representatives that currently exist. The changes explain the regulatory duties French-established businesses have in communicating information to employee representatives, as well as the timetable and method for reporting such information.

Although French law already contains an obligation for businesses to communicate part of this information to the work council on a timely basis, the changes mean that, for the first time, the information has to be communicated at the same time and via a durable medium.

A new article within the Labour Code in France provides that all companies having a work council must set up a database accessible to the work council, on which specific – and sensitive – information and figures about the company's strategy for the past two years, as well as forecasts for the next three years, should be available.

Information to be stored on the database must include information on the company's assets and investments, including R&D costs; information on the company's own funds, debts and the amount of taxes paid; information on the salary of all employees, managers and directors; information on any public subsidies received, tax deductions specific to the company; details of any financial transfer between entities of the group, mergers and acquisitions where the company is part of a group.

Companies employing 300 or more staff in France have until 14 June 2014 to create the database. Businesses with between 50 and 299 employees in France have an extra year to comply. The obligations apply as soon as the threshold is met, regardless of the way in which business structure their presence in France (although their practical implementation may vary depending on the business structure).

Under the reforms, work councils are allowed to appoint, within their company-allocated budgets, to appoint external auditors to review the information provided on the database and analyse it.

Are there specific sanctions or enforcement measures for non-compliance?

Any non-compliant company will face the sanctions associated to the criminal offence of "délit d'entrave", which broadly relates to any type of violation of "co-determination rights" under French law. Individual executives may potentially be jailed for up to a year and the businesses can be fined up to €18,750.

Any member of an existing work council, any employee of the company or any member of a representative labour union will also be able to seek a court order against companies to compel businesses to set up the database if they do not do so. Businesses in France are often subject to fines for each day that they fail to comply with the terms of a court order.

What can businesses do to mitigate the risks?

Given the real threats for businesses associated with the setting up of this database and the short deadline left for ensuring compliance, it is paramount that businesses prepare to meet the new obligations now.

In particular, businesses should gather the resources necessary for the creation of this specific database, whether internally or externally.

The database also has to be designed in a way that ensures full compliance with the scope of information required but also that there is a sufficient level of security. Businesses need to think about managing different level of access, and forbidding certain functionalities such as printing, saving documents outside the database, for example. This may require changes to be made to businesses' overall IT systems.

Businesses should also increase, to the maximum extent permitted by law, the contractual liability of workers representatives in the event of disclosure of secret business information.

In implementing the changes, businesses may have to conduct a broader review of their compliance with French employment rules in terms of communication of information to the work council as well as a broad review of the company's internal IT policy.

The security issues raised by these legal changes require that actions be taken at board level, with a global review of the corporate governance on the protection of confidential business information.

Guillaume Bellmont is a Avocat à la Cour for Pinsent Masons, the law firm behind Out-Law.com

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.