What’s this about?
Cyberattacks continue unabated, including ransomware ones. As you’re no doubt aware, a ransomware attack uses malware that encrypts or otherwise restricts access to computers, systems or data by exploiting system vulnerabilities. The attackers demand that the victim pays money (usually in cryptocurrency such as Bitcoin or Monero) to receive the decryption key or recover access.
Dealing with a cyberattack needs to be managed properly and must be considered as a very high priority matter for the team handling it including a fast turnaround on reporting to regulators, communicating to affected individuals and informing insurers. As we understand things, new French rules make cyberattack insurance payment conditional upon reporting an incident within a set timeframe – this news item briefly looks at this issue.
What does new French law say?
According to Article 5 of French law 2023-22 of 24 January 2023 (https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000047046768), which apparently amends the official French insurance code:
“The payment of a sum pursuant to the clause of an insurance contract aimed at compensating an insured for loss and damage caused by an attack on an automated data processing system […] is subject to the filing of a notice by the victim with the competent authorities no later than seventy-two hours after the victim becomes aware of the attack. This article only applies to legal persons and natural persons in the context of their professional activity (rough translation for this news item)”.
What happens next?
This new French legal provision will apparently enter into force as of 24 April 2023.
There are a number of issues that an organization will need to get to grips with here, which organizations will need to consider obtaining French legal advice about, including the following:
- How the notice should be put together and delivered;
- The type of incident in scope – this new French legal provision does not appear to be limited to the context of data breaches (i.e. data protection law) – areas like the so-called EU NIS rules, as implemented in France, might also be covered;
- The scope of “loss” and “damage”, including the legality or not of making a ransomware payment – on the surface it doesn’t appear that this new French legal provision means that paying ransomware is illegal but this is an area where an organization will need very clear guidance on (with regard to French law and regulatory guidance); if paying ransomware is in itself not considered as illegal in France other risks in paying a ransom will need to be extremely carefully considered by the organization including legal, commercial, societal and reputational ones. There’s more thoughts from us on the dangers of paying a ransom here https://www.corderycompliance.com/ransomware-pay-or-not/;
- The meaning of “an automated data processing system” along with an “attack” on it;
- Which “competent authorities” are to be notified – this may, at the very least, mean law enforcement and the Office of the Public Prosecutor (and possibly regulators); and,
- The meaning of “becoming aware of an attack”.
The changes in France also come at a time when Lloyd’s has changed its requirements on ransomware insurance. We have written about that here https://www.corderycompliance.com/lloyds-cyber-insurance1/. As a reminder those changes come in at the end of this month.
As next practical steps, international organizations operating in France should consider reviewing:
- Their cybersecurity insurance to check what is covered – if they don’t have any cybersecurity insurance they should consider taking this out and should talk to their insurer or insurance broker; and,
- Their policies and procedures to ensure that the organization can handle making the notification, especially to meet the tight 72-hour deadline – one idea might be to create a template notice that covers all possibilities as tailored to the organization – and to ensure that making this notice co-ordinates with any other reporting that needs to be undertaken to regulators according to the type of incident and legal area.
- Their response readiness. Rehearsing a breach helps get battle ready. Attending a Cordery Data Breach Academy can help test readiness. There are more details here https://www.corderycompliance.com/cordery-data-breach-academy-2-2/.
For the sake of clarity, Cordery does not advise on French law and this article is provided by way of information only.
Our article “Ransomware – To Pay or Not to Pay?” can be found here https://www.corderycompliance.com/ransomware-pay-or-not/.
Our article “Ransomware – COVID-19 & Upgrading Your Defences” can be found here https://www.corderycompliance.com/client-alert-ransomware-covid19-and-upgrading-defences/.
We have also written about the NIS regime here https://www.corderycompliance.com/eu-nis2-cyber-rules-1/, here https://www.corderycompliance.com/eu-nis2-rules/, here https://www.corderycompliance.com/client-alert-nis-2-directive/, here https://www.corderycompliance.com/eu-network-information-security-directive-faqs/, here https://www.corderycompliance.com/uk-to-implement-eu-cybersecurity-directive/, and here https://www.corderycompliance.com/uk-government-response-to-cybersecurity-nis-digital-service-providers-consultation/.
We report about cybersecurity issues here https://www.corderycompliance.com/category/cyber-security/.
We report about data protection and privacy issues here https://www.corderycompliance.com/category/data-protection-privacy/.
The French law discussed in this article can be found here https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000047046768).
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|