Legal Tools for IT Security

IT security is at a crossroads, requiring at once technical, organizational, managerial, and legal skills. Organizations must therefore implement a collaborative effort to bring these skills together and into dialogue with each other. However, dialogue alone is not enough. Specific security objectives must be defined and achieved, taking into account the threats specific to each organization's information system. Security cannot be achieved without objectives and performance measurements, to be incorporated into a risk analysis and vulnerability testing. Concrete actions will then be defined to compensate for the risks and vulnerabilities identified.

However, not all organizations are prepared to invest sufficiently in this digital risk management approach, even though they will all readily acknowledge the significant increase in threats and attacks in recent years. The consequences of cyberattacks are well known; they often have a serious impact on a company's image and financial situation, which far exceed the cost of ensuring security. Geopolitical tensions and sovereignty issues are reviving this need for security, which is becoming a prerequisite to earning the trust of business partners, in the broadest sense. In this sense, security is becoming an investment rather than an expense.

To strengthen the IT resilience of economic players, the law has stepped in. We have thus shifted from a “right to security” to an “obligation to secure” ourselves. If the victim of a harmful attack or act of negligence failed to implement the required security measures (in accordance with the state of the art, which we will discuss later), then they could be blamed for contributing to the occurrence of the damage. This is the fairly classic legal concept of victim fault.

How can we ensure that each organization has effectively fulfilled its security obligations and has therefore not committed any fault? What legal and institutional tools are available to support organizations in this process?

We propose to present the main applicable rules of law and their scope in order to shed light on the legal aspects of IT security within organizations. We will also present the legal tools available to strengthen your system.

1. What are the applicable regulations? How do they interact?

In recent years, European and national legislators have been busy adopting legislation aimed at ensuring data security and protecting organizations against cyber threats. A set of obligations has been imposed on organizations, particularly financial institutions, which must comply with a comprehensive legal framework.

It is therefore up to each organization to identify and master the relevant references in the legal framework applicable to cybersecurity, in order to be able to demonstrate its compliance with legal security requirements. To this end, legal professionals work with their clients to build a precise and comprehensive statutory and regulatory compliance framework at several levels: international conventions, European texts, French laws, French regulations, and other standards and frameworks produced by regulators or other authorities (CNIL, ACPR, ANSSI, etc.).

The aim is to establish a legal compliance framework and then to update it as part of a multidisciplinary monitoring process. Lawyers are well versed in this exercise.

2. What legal tools are available for digital security?

Digital security is no longer just a standard technical issue: it is now a regulatory issue for certain activities and products, a contractual issue in most procurement procedures, and is also becoming a strategic issue. A distinction must be made between tools related to risk prevention and those related to remedial or liability actions.

2.1 Preventive measures
2.1.1 Security clauses in IT contracts

For Chief Information Officers (CIOs) and Chief Legal Officers (CLOs) alike, security clauses in contracts with IT service providers require special attention. Their wording, precision, and alignment with the company’s operational reality determine not only the IT system’s robustness but also the organization's ability to deal with a cyber incident.

The primary function of these clauses is to clarify the division of responsibilities in terms of digital security. Who is responsible in the event of an intrusion, data leak, or system unavailability? Does the service provider commit to an obligation of means or an obligation of result? Without precision, contractual gray areas can turn into costly disputes.

The clauses must therefore explicitly frame the security commitments, including in the event of subcontracting, outsourcing, or use of cloud services.

It is no longer acceptable to simply stipulate that each party undertakes to comply with its statutory and regulatory obligations in the area of security and, in particular, to comply with best practices.

Indeed, the central challenge of security clauses is to precisely define the security measures to be implemented. Rather than vague wording ("the service provider guarantees an optimal level of security"), it is therefore advisable to refer to objective standards: ISO/IEC 27001, SecNumCloud, OWASP, ANSSI guides, etc., which make it possible to guarantee the effectiveness of the level of security invoked (these standards are based on concrete operational, organizational, and technical measures).

The contract must also specify procedures for updating, managing vulnerabilities, controlling access, and logging events. These elements must be aligned with the criticality level of the system or data being processed.

In the event of a security incident, responsiveness is crucial. Contracts must provide for clear procedures for detection, notification, and crisis management. This includes setting alert times, points of contact, collaboration obligations, and the content of any reports to be provided.

It is strongly recommended to include a business continuity plan (BCP) or disaster recovery plan (DRP) with specific indicators (RTO, RPO) that are tested regularly. Crisis management cannot be improvised: it must be contractually anticipated.

For the customer, it is essential to be able to verify that security commitments are being properly fulfilled. Contracts must therefore include an audit right, whether periodic or triggered in the event of an incident or serious doubt.

Contractual cybersecurity is not an option. It is a strategic lever for digital risk governance, compliance, and resilience. Well-drafted, precise clauses that are aligned with technical and regulatory standards provide essential legal and operational protection.

It is recommended that the IT agreement refer to the IT charter or information system security policy (ISSP), particularly when the service provider has access to the company's IS or processes sensitive data. This gives the service provider a clear framework that is consistent with the company’s actual situation. It also provides the service provider with reference documentation it can use to demonstrate that it has fulfilled its contractual obligations.

Standards such as ISO 27001 or ANSSI requirements make it mandatory to formalize security rules and impose them on all IS stakeholders, including third parties. Referring to the security charter or policy in contracts is therefore a way to ensure regulatory and normative compliance.

Lastly, even the best logical access control policy is useless if critical machines can be physically accessed without control, because access management must be unified. It is essential to have consistent traceability of access, whether physical (badges, electronic locks, video surveillance) or logical (authentication, user rights, remote connections). The GDPR, the NIS 2 Directive, and the ANSSI standards (SecNumCloud, PDIS, PVID, etc.) require integrated, systemic, and comprehensive security.

2.1.2 IT security contracts

It is clear that most companies need to strengthen their cybersecurity measures. This involves, in particular, the use of specialized service providers. However, when a contract’s subject matter directly concerns IT security (penetration testing, managed services, audits, SOC supervision, incident response, etc.), its level of legal robustness must be high, as the parties' liability, regulatory compliance, and the continuity of the client's business depend on it.

The contract must precisely describe what the service provider undertakes to do, on what and how.

This includes:
- the technical scope (network, workstations, servers, applications, cloud, etc.);
- the objectives (compliance audit, security, vulnerability detection, etc.);
- methods (penetration testing, black-box testing, monitoring, log management, etc.).

Any ambiguity in the scope may result in critical areas of non-coverage and therefore be a source of subsequent litigation. It is also advisable to specify what is not covered and to formalize the advice and alerts given to the client regarding the limits of the service.

In most cases, cybersecurity service providers commit to an enhanced obligation of means: they must implement all the technical and human diligence expected of an experienced professional. However, some services may include obligations of result (e.g., deployment of an encryption solution with a guaranteed coverage rate). The nature of the commitment must be specified in the contract. In other cases, only best-efforts obligations will be stipulated.

Service providers often attempt to limit their contractual liability. This may be acceptable, but only on condition that the following are provided for:

- a liability cap that is proportionate to the stakes;

- specific liability in the event of non-compliance with the security requirements defined in the contract.

In SOC, MDR (Managed Detection and Response), or incident response contracts, time commitments are essential. The contract must provide for:

- a maximum time limit for detecting and classifying an incident;
- a response time based on criticality;
- service hours (24/7, business days, etc.);

A cybersecurity contract cannot be treated like a standard IT contract. It is a strategic tool for protecting the company against digital threats. It is therefore essential that both the CIO and the CLO are involved in drafting it. Each clause should be designed as a protective barrier, both technically and legally.

2.1.3 Charters and other organizational and educational tools

Organizations must supplement their technical measures with legal and organizational tools. Charters, policies, and procedures play a crucial role in regulating behavior, structuring responsibilities, and raising user awareness.

The IT charter and security policy should be formally approved by the company's decision-making bodies, regularly distributed internally, and updated to ensure their full effectiveness.

The IT charter is an internal document that defines the conditions of use of the company's digital resources. Its aim is to prevent misuse, remind users of good cybersecurity practices, and allow for disciplinary action in the event of a breach. It should cover the following points in particular: 

- Scope of application: users concerned (employees, service providers, etc.); 

- Rules on the use of equipment, software, and remote access; 

- Security obligations: passwords, updates, vigilance;

- Prohibited uses: illegal content, circumvention of protections; 

- Confidentiality, GDPR compliance; 

- Traceability requirements, IT controls; 

- Terms of acceptance (signature or electronic validation).

The ISSP, meanwhile, is a strategic document that sets out general guidelines for cybersecurity. It is supported by management and structured by the IT department.

It includes, in particular: 

- Security objectives (availability, integrity, confidentiality); 

- The role of stakeholders (IT department, Chief Information Security Officer, business lines, etc.); 

- Guiding principles (data protection, risk management); 

- Derivative policies: HR-ISSP, industrial ISSP, cloud ISSP, etc.

Internal procedures govern day-to-day security practices: account creation, access control, use of encryption, incident management, etc. They are essential for ensuring operational security and an auditable framework. They must be clear, formalized, and known to all stakeholders.

Users are sometimes the weak link in the cybersecurity chain. It is therefore essential to train them through:

- best practice guides;
- e-learning modules;
- awareness campaigns (simulated phishing, posters, videos).

These actions reinforce vigilance and contribute to the company's cybersecurity culture. Certain regulations, particularly NIS2, require organizations to provide training.

Legal tools designed for organizational or educational purposes are therefore important levers for cybersecurity prevention and governance. When well-written, well-structured, and well-disseminated, they enable companies to protect their information systems and mobilize their employees around security.

2.1.4 Reminder of standards and definition of state of the art

IT contracts often refer to best practices. In any case, it should be noted that even when no reference is made to them, the need to comply with best practices is presumed by default in this type of contract. To avoid this, it would be necessary to stipulate that the services will be provided without any obligation to comply with best practices. Obviously, this never happens. By default, the obligation to comply with best practices will apply.

But what is the state of the art?

It is the state of scientific knowledge and best practices in a given technological sector at a given point in time. It is a benchmark that any normally diligent and competent professional must comply with.

Parties to the contract will often wonder how to give operational content to such a definition. In reality, this content comes from scientific publications, knowledge disclosed by professors and researchers, qualitative and normative benchmarks built up by sector professionals and institutions and then published, such as the standards to be referred to in the legal compliance benchmark mentioned at the beginning of this article.

Where applicable, the state of the art can be defined by an expert in a private consultation or at the request of a judge who appoints an expert to clarify a technical point for the purpose of making a ruling.

2.2 Remedial measures

Setting up a cybersecurity crisis unit within an organization is essential to respond effectively to incidents and limit their impact. The roles and responsibilities of each member should be identified. The unit should be multidisciplinary and can include:

• Head of the crisis unit (often the CISO or CIO)
• Technical security team (SOC analysts, network/system administrators)
• Senior management
• DPO (in the event of a personal data breach)
• Legal manager
• Internal/external communications manager
• HR representative (in the event of an HR data breach or human impact)
• Cybersecurity insurer (if you have a cyber insurance policy)
   

It is necessary to put in place the tools and resources associated with the proper functioning of the crisis unit, especially since, in the event of a major attack, electronic means of communication might be impaired.

• Crisis room: physical or virtual (in the event of remote working or unavailability of premises).
• Backup communication channels (outside of affected systems, e.g., WhatsApp, Signal, telephone).
• Runbooks: detailed procedures to follow depending on type of incident (ransomware, phishing, data leaks, etc.).
• Access to logs, backups, and detection tools (SIEM, EDR, etc.).

The crisis management plan (CMP) should include: 

• Incident scenarios (internal threat, ransomware, DDoS attack, etc.).
• The alert and escalation procedure.
• Criteria for triggering the response team.
• The decision chain.
• Remediation and communication actions at each stage.

It is also necessary to set up an Incident Detection System that is capable of automatically alerting the unit according to detection rules (IDS, SIEM, etc.).

Finally, crisis exercises should be carried out regularly:

• To test coordination and response speed.
• To assess the clarity of procedures.
• To identify weaknesses.

After each incident, it is important to capitalize on the experience:

• Conduct a post-mortem analysis.
• Document areas for improvement.
• Update procedures and the crisis plan.

It is often necessary to ensure and therefore anticipate the preservation of hot evidence, as it is volatile in information systems. It is therefore advisable to have selected IT experts who are already familiar with the technologies used in the organization, the architecture of the information system, and the key intangible assets, in order to be able to carry out backups or assessments efficiently and quickly.

We therefore recommend (i) selecting two or three experts who are likely to be able to intervene effectively and at short notice and (ii) preparing the terms and conditions of their intervention with them in advance. We suggest preparing standard engagement letters based on pre-negotiated fees, so that alternate experts can be called upon if the first on the list is not immediately available.

The same applies to judicial officers, who play an essential role in the expert appraisal process. In this connection, it should be noted that the equipment should not be turned off immediately after a cyberattack, but simply disconnected from the internet. This is because turning off the power supply empties the cache or buffer memories, which may contain evidence that will be useful to investigators later on in tracing the source of the attack.