New law increases cyber attack risks for French companies

Out-Law Analysis | 03 Apr 2014 | 9:47 am | 4 min. read

FOCUS: Businesses in France are being asked to compile a database of commercially sensitive information that will potentially attract increased interest from cyber criminals.

Changes to employment laws in the country will require businesses with more than 50 employees to create a database for worker representatives to be able to access. The database must contain information such as details of business assets, employee salaries and forecasts outlining the strategic direction of the company.

The creation of this database raises a number of regulatory and compliance issues. Above all, it increases the risks faced by companies in relation to the protection of confidential business information and protection against cyber attacks. The volume of such attacks may increase given the economic value of the database contents.

Businesses may need to change their IT policies, alter their ways of working with work council representatives and undertake a review of their overall compliance with French employment laws and of the way they protect confidential business information as a result of the changes.

How do the changes affect businesses?

The reform raises a general issue regarding the protection of confidential business information. Practically, it will be the first time that such a comprehensive central database of confidential information will be created and made available to such a large group of people, many of which may never have accessed such information so easily and had access to such a full picture about a company.

The most worrying part of this change is related to the security of the database. Although the database will be accessible solely to members of work councils, it may be stored on a company's intranet or on a network which could be accessible remotely. For cyber thieves, the database is a potential goldmine and if they are able to gain access to a business's network there is a chance that they will be able to retrieve financially sensitive information.

The communication of this information to work council members may, to some extent, jeopardise the confidential nature of this information. Proposed new EU laws, under the draft Trade Secrets Directive, would further jeopardise the confidentiality of business information because, if accepted in their current form, the acquisition of trade secrets through "the exercise of the right of workers representatives to information and consultation" would be considered to be lawful.

Although French law has specified that work council members shall be bound by a fiduciary duty of confidentiality, this does not provide businesses with preventive enforcement measures or sanctions against indiscreet worker representatives. 

Unless otherwise anticipated, companies facing theft or disclosure of confidential business information by employee representatives will have no other choice than to either request court injunctions to stop the disclosure of this confidential information or seek damages.

What is the exact scope of the change to French law?

Changes to French employment laws were contained in a new Act and decree last year and provide additional "co-determinaton rights" to employee representatives that currently exist. The changes explain the regulatory duties French-established businesses have in communicating information to employee representatives, as well as the timetable and method for reporting such information.

Although French law already contains an obligation for businesses to communicate part of this information to the work council on a timely basis, the changes mean that, for the first time, the information has to be communicated at the same time and via a durable medium.

A new article within the Labour Code in France provides that all companies having a work council must set up a database accessible to the work council, on which specific – and sensitive – information and figures about the company's strategy for the past two years, as well as forecasts for the next three years, should be available.

Information to be stored on the database must include information on the company's assets and investments, including R&D costs; information on the company's own funds, debts and the amount of taxes paid; information on the salary of all employees, managers and directors; information on any public subsidies received, tax deductions specific to the company; details of any financial transfer between entities of the group, mergers and acquisitions where the company is part of a group.

Companies employing 300 or more staff in France have until 14 June 2014 to create the database. Businesses with between 50 and 299 employees in France have an extra year to comply. The obligations apply as soon as the threshold is met, regardless of the way in which business structure their presence in France (although their practical implementation may vary depending on the business structure).

Under the reforms, work councils are allowed to appoint, within their company-allocated budgets, to appoint external auditors to review the information provided on the database and analyse it.

Are there specific sanctions or enforcement measures for non-compliance?

Any non-compliant company will face the sanctions associated to the criminal offence of "délit d'entrave", which broadly relates to any type of violation of "co-determination rights" under French law. Individual executives may potentially be jailed for up to a year and the businesses can be fined up to €18,750.

Any member of an existing work council, any employee of the company or any member of a representative labour union will also be able to seek a court order against companies to compel businesses to set up the database if they do not do so. Businesses in France are often subject to fines for each day that they fail to comply with the terms of a court order.

What can businesses do to mitigate the risks?

Given the real threats for businesses associated with the setting up of this database and the short deadline left for ensuring compliance, it is paramount that businesses prepare to meet the new obligations now.

In particular, businesses should gather the resources necessary for the creation of this specific database, whether internally or externally.

The database also has to be designed in a way that ensures full compliance with the scope of information required but also that there is a sufficient level of security. Businesses need to think about managing different level of access, and forbidding certain functionalities such as printing, saving documents outside the database, for example. This may require changes to be made to businesses' overall IT systems.

Businesses should also increase, to the maximum extent permitted by law, the contractual liability of workers representatives in the event of disclosure of secret business information.

In implementing the changes, businesses may have to conduct a broader review of their compliance with French employment rules in terms of communication of information to the work council as well as a broad review of the company's internal IT policy.

The security issues raised by these legal changes require that actions be taken at board level, with a global review of the corporate governance on the protection of confidential business information. 

Guillaume Bellmont is a Avocat à la Cour for Pinsent Masons', the law firm behind