The finding is alarming: 65% of communities with fewer than 3,500 people believe cyber risk is low or non-existent, or do not know how to assess it, according to a study by Cybermalveillance.gouv.fr, an aid platform. victims of the attacks, published in May. However, the facts do not lie. Local communities are regularly attacked by hackers.
Avoid Cyber Attacks
Faced with this observation, Cybermalveillance.gouv.fr and the National Commission for Computing and Liberties (Cnil) published a guide for local elected officials and territorial agents on July 1 to remind them of their obligations and responsibilities in terms of cybersecurity. Prevention is better than cure. Indeed, a cyberattack can have many consequences for the life of a community: the blocking of information systems, the theft of personal data, the interruption of government services … “A computer security incident can occur at any time and in any community,” the manual recalls. .
The first obligation of communities is to protect the personal data of their members, whether for internal use (human resources, video surveillance, etc.) or for external use (civil status, school registration, etc.). These matters are overseen by the Data Protection Officer (DPO). For each treatment, he is responsible for the compliance of all the treatments of his community.
Code of Practice for Teleservices
The second concerns the introduction of local teleservices, i.e. digital reception desks offered by the local government, allowing users to complete administrative procedures or formalities electronically (application for social housing, registration in the school cafeteria). Remember that from 5,000 euros in annual income, the introduction of teleservices is mandatory.
These teleservices must comply with the General Security System (RGS). It establishes a set of security rules for local governments and their service providers that assist them in their efforts to keep their information systems secure. Several steps are required: conducting a risk analysis, defining security objectives, implementing appropriate safeguards, certifying the information system, and ensuring operational monitoring.
Finally, local governments must comply with regulations regarding the posting of health data collected during prevention, diagnosis, care, or social and medico-social activities. They are often carried out by local authorities for departments run by social assistance and for communes run by community centers for social action.
Multiple penalties apply
In the event of an incident, local authorities may be held legally liable, the guide says. Thus, Cnil can impose a financial penalty of up to 20 million euros. Citizens can also take action when a local government has violated its obligations and that violation has harmed them.
Sanctions are also possible at the criminal level. Indeed, for example, it is punishable by five years in prison and a fine of 300,000 euros for the fact of continuing or continuing the processing of personal data without implementing measures aimed at ensuring the security of such data.