French firms: You want us to compile DATABASES... of our SECRET information?

New law increases cyber attack risks, biz fumes to govt

Secure remote control for conventional and virtual desktops

Businesses in France are being asked to compile a database of commercially sensitive information that will potentially attract increased interest from cyber criminals.

Changes to employment laws in the country will require businesses with more than 50 employees to create a database for worker representatives to be able to access. The database must contain information such as details of business assets, employee salaries and forecasts outlining the strategic direction of the company.

The creation of this database raises a number of regulatory and compliance issues. Above all, it increases the risks faced by companies in relation to the protection of confidential business information and protection against cyber attacks. The volume of such attacks may increase given the economic value of the database contents.

Businesses may need to change their IT policies, alter their ways of working with work council representatives and undertake a review of their overall compliance with French employment laws and of the way they protect confidential business information as a result of the changes.

How do the changes affect businesses?

The reform raises a general issue regarding the protection of confidential business information. Practically, it will be the first time that such a comprehensive central database of confidential information will be created and made available to such a large group of people, many of which may never have accessed such information so easily and had access to such a full picture about a company.

The most worrying part of this change is related to the security of the database. Although the database will be accessible solely to members of work councils, it may be stored on a company's intranet or on a network which could be accessible remotely. For cyber thieves, the database is a potential goldmine and if they are able to gain access to a business's network there is a chance that they will be able to retrieve financially sensitive information.

The communication of this information to work council members may, to some extent, jeopardise the confidential nature of this information. Proposed new EU laws, under the draft Trade Secrets Directive, would further jeopardise the confidentiality of business information because, if accepted in their current form, the acquisition of trade secrets through "the exercise of the right of workers representatives to information and consultation" would be considered to be lawful.

Although French law has specified that work council members shall be bound by a fiduciary duty of confidentiality, this does not provide businesses with preventive enforcement measures or sanctions against indiscreet worker representatives.

Unless otherwise anticipated, companies facing theft or disclosure of confidential business information by employee representatives will have no other choice than to either request court injunctions to stop the disclosure of this confidential information or seek damages.

What is the exact scope of the change to French law?

Changes to French employment laws were contained in a new Act and decree last year and provide additional "co-determinaton rights" to employee representatives that currently exist. The changes explain the regulatory duties French-established businesses have in communicating information to employee representatives, as well as the timetable and method for reporting such information.

Although French law already contains an obligation for businesses to communicate part of this information to the work council on a timely basis, the changes mean that, for the first time, the information has to be communicated at the same time and via a durable medium.

A new article within the Labour Code in France provides that all companies having a work council must set up a database accessible to the work council, on which specific – and sensitive – information and figures about the company's strategy for the past two years, as well as forecasts for the next three years, should be available.

Information to be stored on the database must include information on the company's assets and investments, including R&D costs; information on the company's own funds, debts and the amount of taxes paid; information on the salary of all employees, managers and directors; information on any public subsidies received, tax deductions specific to the company; details of any financial transfer between entities of the group, mergers and acquisitions where the company is part of a group.

Companies employing 300 or more staff in France have until 14 June 2014 to create the database. Businesses with between 50 and 299 employees in France have an extra year to comply. The obligations apply as soon as the threshold is met, regardless of the way in which business structure their presence in France (although their practical implementation may vary depending on the business structure).

Under the reforms, work councils are allowed to appoint, within their company-allocated budgets, to appoint external auditors to review the information provided on the database and analyse it.

Are there specific sanctions or enforcement measures for non-compliance?

Any non-compliant company will face the sanctions associated to the criminal offence of "délit d'entrave", which broadly relates to any type of violation of "co-determination rights" under French law. Individual executives may potentially be jailed for up to a year and the businesses can be fined up to €18,750.

Any member of an existing work council, any employee of the company or any member of a representative labour union will also be able to seek a court order against companies to compel businesses to set up the database if they do not do so. Businesses in France are often subject to fines for each day that they fail to comply with the terms of a court order.

What can businesses do to mitigate the risks?

Given the real threats for businesses associated with the setting up of this database and the short deadline left for ensuring compliance, it is paramount that businesses prepare to meet the new obligations now.

In particular, businesses should gather the resources necessary for the creation of this specific database, whether internally or externally.

The database also has to be designed in a way that ensures full compliance with the scope of information required but also that there is a sufficient level of security. Businesses need to think about managing different level of access, and forbidding certain functionalities such as printing, saving documents outside the database, for example. This may require changes to be made to businesses' overall IT systems.

Businesses should also increase, to the maximum extent permitted by law, the contractual liability of workers representatives in the event of disclosure of secret business information.

In implementing the changes, businesses may have to conduct a broader review of their compliance with French employment rules in terms of communication of information to the work council as well as a broad review of the company's internal IT policy.

The security issues raised by these legal changes require that actions be taken at board level, with a global review of the corporate governance on the protection of confidential business information.

Guillaume Bellmont is a Avocat à la Cour for Pinsent Masons, the law firm behind Out-Law.com

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Britain's housing crisis: What are we going to do about it?
Rent control: Better than bombs at destroying housing
'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
And now a message from our sponsors: 'STFU or else'
Top beak: UK privacy law may be reconsidered because of social media
Rise of Twitter etc creates 'enormous challenges'
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
Uber, Lyft and cutting corners: The true face of the Sharing Economy
Casual labour and tired ideas = not really web-tastic
The police are WRONG: Watching YouTube videos is NOT illegal
And our man Corfield is pretty bloody cross about it
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
prev story


5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?