French firms: You want us to compile DATABASES... of our SECRET information?

New law increases cyber attack risks, biz fumes to govt

Beginner's guide to SSL certificates

Businesses in France are being asked to compile a database of commercially sensitive information that will potentially attract increased interest from cyber criminals.

Changes to employment laws in the country will require businesses with more than 50 employees to create a database for worker representatives to be able to access. The database must contain information such as details of business assets, employee salaries and forecasts outlining the strategic direction of the company.

The creation of this database raises a number of regulatory and compliance issues. Above all, it increases the risks faced by companies in relation to the protection of confidential business information and protection against cyber attacks. The volume of such attacks may increase given the economic value of the database contents.

Businesses may need to change their IT policies, alter their ways of working with work council representatives and undertake a review of their overall compliance with French employment laws and of the way they protect confidential business information as a result of the changes.

How do the changes affect businesses?

The reform raises a general issue regarding the protection of confidential business information. Practically, it will be the first time that such a comprehensive central database of confidential information will be created and made available to such a large group of people, many of which may never have accessed such information so easily and had access to such a full picture about a company.

The most worrying part of this change is related to the security of the database. Although the database will be accessible solely to members of work councils, it may be stored on a company's intranet or on a network which could be accessible remotely. For cyber thieves, the database is a potential goldmine and if they are able to gain access to a business's network there is a chance that they will be able to retrieve financially sensitive information.

The communication of this information to work council members may, to some extent, jeopardise the confidential nature of this information. Proposed new EU laws, under the draft Trade Secrets Directive, would further jeopardise the confidentiality of business information because, if accepted in their current form, the acquisition of trade secrets through "the exercise of the right of workers representatives to information and consultation" would be considered to be lawful.

Although French law has specified that work council members shall be bound by a fiduciary duty of confidentiality, this does not provide businesses with preventive enforcement measures or sanctions against indiscreet worker representatives.

Unless otherwise anticipated, companies facing theft or disclosure of confidential business information by employee representatives will have no other choice than to either request court injunctions to stop the disclosure of this confidential information or seek damages.

What is the exact scope of the change to French law?

Changes to French employment laws were contained in a new Act and decree last year and provide additional "co-determinaton rights" to employee representatives that currently exist. The changes explain the regulatory duties French-established businesses have in communicating information to employee representatives, as well as the timetable and method for reporting such information.

Although French law already contains an obligation for businesses to communicate part of this information to the work council on a timely basis, the changes mean that, for the first time, the information has to be communicated at the same time and via a durable medium.

A new article within the Labour Code in France provides that all companies having a work council must set up a database accessible to the work council, on which specific – and sensitive – information and figures about the company's strategy for the past two years, as well as forecasts for the next three years, should be available.

Information to be stored on the database must include information on the company's assets and investments, including R&D costs; information on the company's own funds, debts and the amount of taxes paid; information on the salary of all employees, managers and directors; information on any public subsidies received, tax deductions specific to the company; details of any financial transfer between entities of the group, mergers and acquisitions where the company is part of a group.

Companies employing 300 or more staff in France have until 14 June 2014 to create the database. Businesses with between 50 and 299 employees in France have an extra year to comply. The obligations apply as soon as the threshold is met, regardless of the way in which business structure their presence in France (although their practical implementation may vary depending on the business structure).

Under the reforms, work councils are allowed to appoint, within their company-allocated budgets, to appoint external auditors to review the information provided on the database and analyse it.

Are there specific sanctions or enforcement measures for non-compliance?

Any non-compliant company will face the sanctions associated to the criminal offence of "délit d'entrave", which broadly relates to any type of violation of "co-determination rights" under French law. Individual executives may potentially be jailed for up to a year and the businesses can be fined up to €18,750.

Any member of an existing work council, any employee of the company or any member of a representative labour union will also be able to seek a court order against companies to compel businesses to set up the database if they do not do so. Businesses in France are often subject to fines for each day that they fail to comply with the terms of a court order.

What can businesses do to mitigate the risks?

Given the real threats for businesses associated with the setting up of this database and the short deadline left for ensuring compliance, it is paramount that businesses prepare to meet the new obligations now.

In particular, businesses should gather the resources necessary for the creation of this specific database, whether internally or externally.

The database also has to be designed in a way that ensures full compliance with the scope of information required but also that there is a sufficient level of security. Businesses need to think about managing different level of access, and forbidding certain functionalities such as printing, saving documents outside the database, for example. This may require changes to be made to businesses' overall IT systems.

Businesses should also increase, to the maximum extent permitted by law, the contractual liability of workers representatives in the event of disclosure of secret business information.

In implementing the changes, businesses may have to conduct a broader review of their compliance with French employment rules in terms of communication of information to the work council as well as a broad review of the company's internal IT policy.

The security issues raised by these legal changes require that actions be taken at board level, with a global review of the corporate governance on the protection of confidential business information.

Guillaume Bellmont is a Avocat à la Cour for Pinsent Masons, the law firm behind Out-Law.com

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Why Oracle CEO Larry Ellison had to go ... Except he hasn't
Silicon Valley's veteran seadog in piratical Putin impression
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.