What legal risk for criminal enterprises?
According to Henri-Leben many companies are forced to register with the CNIL of personal data files created from the information provided by their customers. Precautions that accompany the use of such files are generally well known. Data should be collected from persons who have given their consent for a particular purpose. They must be kept for a period in connection with this purpose and should be accessible / modifiable by the person from whom they were collected. Less known is the risk of prosecution hanging over the company and the controller, where access to such data is not adequately protected.
The opening of businesses to the Internet has been accompanied by new legal risks, compounded by a tightening in terms of legislative responsibility.
Indeed, safety deficiencies, the company that made yesterday's victim in case of intrusion or interference with its automated processing of data 1, can now make it responsible or guilty. This may be the case, for example, when a security hole allows access to corporate data or when a virus is rebroadcast through it.
Criminal penalties for infringement of the automated data processing
Article 34 of the Data Protection Act of 6 January 1978 provides that "the controller shall take all necessary precautions, given the nature of data and risks of treatment, to protect public safetydata and, in particular, to prevent them being distorted, damaged, or that unauthorized parties have access to (...) ". The failure to take appropriate precautions can be punished with imprisonment up to 5 years in prison and give rise to a fine of 300,000 €.
Any company that manages the data must therefore, before initiating any collection, make the following four elements:
data are collected they "personal data" under the Data Protection Act?
if yes, reporting requirements or requests for authorization from the CNIL to file the constitution have been respected?
means of guaranteeing the right of persons to whom the data were collected are they efficient?
data are sufficiently secure to prevent any attack on their content or access by unauthorized persons.
The issue of network security is a major issue in terms of personal data.
The directive of October 24, 1995 (personal) specifies that the controller must implement
"Appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, disclosure or unauthorized access, especially when the processing involves the transmission of data a network, and against all other unlawful forms of processing. "
The Court infers from these provisions that the safety requirement that weighs the burden of the controller data is as true for computer risks (intrusions, Trojans, etc..) Than for physical hazards (fire, theft of physical data, etc..).
In practice, the measures taken must be consistent with the prior art and adapted to the risk presented by the data. It is obvious that a security flaw on a file data "sensitive" will be punished more heavily than when the failure data for more benign.
If it is not required of the controller of an obligation of result data, it should nevertheless be able to prove that he has implemented all measures that could reasonably be expected to ensure compliance with the entire file.
This problem is even more crucial that the failure of the controller can justify criminal charges against him both in respect of the company that employs him. For the record, the penalty under section 226-17 of the Penal Code is five years imprisonment and a fine of 300,000 €, the latter figure may be increased to 1,500,000 € when it is the responsibility of the company is at stake
Note that the Attorney will also be entitled to require the deletion of file data is not adequately protected, if it considers that the defect presents a risk to the privacy of individuals whose data were collected.
Securing data thus has a real legal risk, including inadequate treatment is likely to affect both criminal and economic.
Source: globalsecuritymag.fr
