Data protection and Covid-19: French companies, their suppliers and contractors, and cyber risks

Written on 17 Apr 2020

As lockdown is extended in France for a few more weeks, companies still need to ensure they adopt actions required by law and to protect their data assets.

Amid the massive shift to remote working in France, companies concerned about the security of their remote workforce should also make sure they take the right actions in relation to suppliers and contractors whose employees have been asked to work remotely too. They need to ensure that they are implementing appropriate security measures to prevent and respond to cyberattacks, especially if they process personal data for the company and deal with any confidential or proprietary data.

Who is concerned and why does it matter?

Taking action is mandatory for many companies, and at a minimum is strongly recommended for most:

Operators of Vital Importance (OIVs) and Operators of Essential Services (OSEs). Under the 2016 EU Network and Information Security Directive (the “NIS Directive” adopted in 2016 and since implemented across EU), OIVs and OSEs have a statutory duty to ensure that their providers have implemented adequate security measures for the provision of their services when they have entrusted their operation to third parties. For instance, OIVs and OSEs must include in the cartography of their systems the IP addresses of third-party networks as well as the partitioning with said networks and the relevant data and elements allowing to detect a security breach from those.

Companies acting as data controller for personal data processed by its suppliers and contractors (article 28 of the GDPR). This is relevant for a vast majority of companies and, under article 28 of the General Data Protection Regulation (GDPR), any data controller using a third party for the processing of personal data is liable to ensure that this contractor offers sufficient guarantees and implements appropriate technical and organisational measures to ensure the protection of personal data.

All companies need to ensure the protection and security of confidential and proprietary information handled by third-party contractors. This lockdown period requires an assessment of what type of access third-party contractors have to the company’s most valuable, confidential and strategic data (including trade secrets and IP), whether in soft or hard copies, and whether these contractors are in a position to protect such data under the circumstances, and sufficiently required to do so under the applicable contract terms.

What must be done?

Companies already have much to address – and the scale of urgent actions can be huge – but here are some recommendations.

Prioritise. Naturally, companies have to take action first where they have a statutory duty or liability at stake. For most companies this relates to their liability as data controller for personal data processed by contractors and suppliers. Even in this situation, it is possible to prioritise by identifying those data processors with higher risks, such as processing specific categories of personal data, large-scale data, data relating to vulnerable individuals (minors, patients, employees), and data located outside the European Union.

Check existing agreements. It is strongly recommended to ensure that existing agreements with suppliers and contractors already include effective remote working security measures and that general confidentiality and security provisions are sufficiently robust.

Engage with your suppliers and contractors to:

  • Negotiate remote working, security and confidentiality amendments to contracts as necessary and prioritised.
  • Ask them to guarantee that the remote performance of the contract is carried out in accordance with the provisions of said contract and to provide you with any relevant information on the “out of the ordinary” security measures implemented to deal with the Covid-19 crisis.
  • More specifically, you are entitled to ensure that the remote working of their employees is fully secured, in particular if these employees process personal data or sensitive data for your business. You can request that they list and confirm their security measures and describe the remote working security conditions for their employees and, more globally, their plan of continuity of activity (if not already made available or if it has been revised in light of the situation). You should keep in mind that any request must be proportionate and justified. For instance, can you request the identity of all their employees working remotely?
  • With respect to your company personal data, the security measures must be adapted to the type of data processing activity carried out by each processor. However, any data controller is reasonably entitled to expect its data processors to put in place the following main security measures:
    • provide employees with secure VPN access;
    • set up a malware protection system on employees’ computer;
    • set up an authentication system (such as a strong password and two factor authentication system);
    • encrypt data at rest to protect data on the device if it is lost or stolen;
    • raise employee awareness on the use of phishing emails;
    • implement internal procedures relating remote working;
    • use device management (MDM) tools to set up devices with a standard configuration, and also to remotely lock devices, erase data or retrieve a backup;
    • train employees on securities issues related to remote working (turn off the home devices such as Alexa and Siri, not use public cloud application to share documents, etc.). In France, the data protection authority (CNIL) and the National Agency for the Security of IT Systems (ANSSI) have published extensive guidance and recommendations on security, in particular on remote working and on the use of subcontractors. Other EU Member States regulators do the same. It may be useful to remind your processors of these obligations.
    • Ask them, optionally, to disclose, if not already done, their cyber risks insurance coverage.

Document your actions

With respect to personal data, you will to be able to show as data controller that you have been proactive in addressing the security of the personal data under your responsibility, as processed by your contractors, even during the crisis. This action may turn to be critical in the event of a data security breach in order to face a potential data privacy compliance investigation.

More generally, documenting all your actions will be useful in order to enforce contractual confidentiality obligations or the protection of industrial or trade secrets, as the case may be.

Communication format. You can contemplate sending a circular communication to your contractors requiring a formal reply and engage individually only with the most sensitive contractors. Even where discussions with the latter can be engaged informally for the sake of your commercial relationships it should be backed up with written correspondence.

In conclusion

As your company engage in the foregoing actions it must be mindful that it is itself acting as supplier and contractor for its own corporate customers. You may see this as an opportunity to engage proactively with those customers to inform them about the remote working security you have implemented. Beyond the need to comply with applicable law, only a collective cyber risks resilience will help resisting the current global wave of cyber-attacks.