Free, SFR, France Travail, Viamédis and Amerys, Boulanger, Cultura, SFR, Truffaut, Grosbill, the Family Allowance Fund (CAF)… Which company or public entity has not yet suffered a cyberattack? In its annual report published last Tuesday (April 29), the CNIL, the authority responsible for protecting our privacy, is concerned about the increase in personal data breaches. These have increased by 20% between 2023 and 2024, with, as a bonus, a surge in very large-scale leaks.
To ensure greater protection for large databases, the personal data regulator has subsequently published aseries of recommendations.From 2026,two-factor authentication will be required for very large databases – those that concern at least two million people. Concretely, the password will no longer be sufficient.
For 01net.com, Romain Perray, associate lawyer in charge of the Tech & Data department at McDermott Will & Emery, reviewed this annual CNIL data breach report. For the specialist in digital and cyber issues, the CNIL's assessment is far from surprising.
An increasing number of attacks, and subcontractors in the crosshairs
"Since the pandemic, things have accelerated. Previously, we certainly had personal data breaches, but not on such a massive scale," he said. Public services, particularly healthcare, were attacked. But instead of targeting a single organization, subcontractors were then targeted. "By attacking a service provider, we affect several entities," emphasizes Maître Perray, similar to "the SolarWinds scandal that took place in the United States" in 2020.
Last year in France, Viamedis, a French company specializing in the management of supplementary health benefits, and Almerys, its competitor, were the targets of cyberattacks. In total, nearly 33 million French people were affected. In 2023, nearly 17,772 complaints were recorded, 8% more than in 2023. And the trend continues, with already 2,500 data breaches in France during the first quarter of 2025.
How can these figures be explained? For many, "IT security issues remain a bit obscure," says the man who is also a lecturer at the Universities of Paris I, Paris II, and Paris V. "As long as you don't see the theft as such, as if someone had broken into your home and you saw that someone had gone through your things, as long as it doesn't actually happen to you, you have trouble realizing that you're an easy target," he continues. "The issue is not at all, if we're going to be exposed to a cyberattack, the real issue is when," explains the specialist, a phrase also used by the president of the CNIL, Marie-Laure Denis, during the presentation of the report on Tuesday, April 29. And the issue is still not well integrated into the consciousness of different organizations. "It's also because the IT tool is relatively unknown and is often considered as a support for the activity and not as a strategic element of the activity," notes the expert.
A "blind spot" in the legal arsenal?
The CNIL's annual report, which sounds the alarm, is also explained "by the current regulatory context." While several directives (NIS 2, DORA) are about to be transposed into national law, notably via the bill "relating to the resilience of critical infrastructures and the strengthening of cybersecurity," some sectors still escape the obligations or recommendations related to personal data and IT security.
"In this network, we have a blind spot, which is the set of sectors of activity that fall neither within the scope of NIS 2 nor within the scope of DORA," explains Maître Perray. NIS 2 imposes more stringent cybersecurity and risk management requirements on so-called "essential" and "important" entities. The former includes public administrations and actors essential to the functioning of the State, such as energy, water, transport, communications, and part of health. Among the latter, we now find the post office and manufacturers of equipment, particularly mechanical or electronic. The DORA directive concerns financial institutions.
For all others, the CNIL "is obliged to step up, since the vast majority of data stored on information systems, which fall neither within the scope of NIS 2 nor within the scope of DORA, do contain personal data." However, for these systems, "the technical measures to be implemented, ultimately, are better off being equivalent to the more explicit or prescriptive regulatory requirements," the lawyer indicates.
Moving to a more repressive format?
Be careful, "the CNIL does not impose anything, in the strict sense of the term. The report (published on April 29, Editor's note) has no legally binding effect. The documents to which the CNIL refers are essentially recommendations, and therefore do not have a binding effect by nature," he explains. "On the other hand, what the CNIL can do is that, based on its recommendations, if it carries out an inspection and finds that the security measures are insufficient, it is fully able to impose sanctions, including on the basis of such recommendations," he explains. The reason is simple: "The CNIL does not have the regulatory power to impose a rule of law." But for the lawyer specializing in these matters, it is fundamental to "raise the level of education and awareness (of cyber risks, Editor's note)." And one of the ways to achieve this is to "hit hard." We saw this with the GDPR." The 2018 European data protection regulation has allowed, through fines, to better protect personal data. The next question is, "It is institutional, that is to say that ANSSI, like the CNIL, has always found itself in a pedagogical philosophy. The latter naturally take time to move to a more repressive format. ANSSI has already made it clear that the companies concerned (by NIS 2) would have a period of three years to ramp up," underlines Maître Perray. Are companies and public bodies required to maintain a minimum level of cybersecurity? What obligations must public or private entities then comply with? For personal data, the GDPR provides for two security requirements. "The first is considered a fundamental principle, known as the integrity and confidentiality of personal data. Then comes Article 32, which provides for "the measures for implementing this fundamental principle." The GDPR essentially says: one, this is the guiding principle (the integrity and confidentiality of sensitive data), and two, you must adopt security measures that correspond to your level of risk, depending on the sensitivity of the data. "Over time, these measures to be adopted are becoming more and more identifiable since we have standards that have developed, such as "multi-factor authentication", "the need to change a password, for example, every six months now, with increasingly long character combinations", he lists. As a result, "if you end up with operators who provide passwords that are 1, 2, 3, 4, the security level is not met and in this case, the CNIL can note the breach and impose sanctions, which it has already done, moreover". Can a company or public entity be held responsible for its lack of IT "robustness" after a data leak? The idea is first to "focus on remediating the consequences of the cyberattack.And it is only in a second phase, generally when there is something very obvious, that we will sanction the organizations that have failed. This is rather how the subject is treated, at least in Europe, and particularly in France", explains Romain Perray. "The philosophy behind all this is that we are not going to sanction the victim even more. The company targeted by a cyberattack already has a lot to manage. What is still a common sense measure is to ensure that the consequences for individuals and for the organization are limited," he adds. But now aas in NIS 2 and DORA, " top management take responsibility for essential choices and cyber strategyOnly "manifestly failing" organizations are sanctioned?
0 Comments