It is now official: with the publication on January 25 of the Orientation and Programming Law of the Ministry of the Interior, it will now be necessary to file a complaint within 72 hours in order to hope to be reimbursed by its insurer for losses and damage caused by computer hacking.
This provision, which will come into force in three months, caused much ink to flow throughout the parliamentary examination of this text. But not necessarily wisely. As Vincent Strubel has just pointed out, however, there has been no “fundamental change with this text”.
Mess up in the com
In front of the press, the boss of the French cyberfirefighter thus recalled that it was not so far prohibited to pay a ransom and that an insurer was not prohibited from reimbursing a ransom.
In short, nothing would have really changed, apart from the obligation to file a complaint if you want to use your insurance. “There was a mess in the communication of the State”, deplores the director general of Anssi, with, he regrets, “bad interpretations” in the clarification of the existing legal framework.
Critics of the provision felt that mentioning in black and white the payment of a ransom in a legislative text amounted to giving the administration an endorsement of this kind of racketeering. The doctrine of the State is however not to pay the ransom demanded by gangs of ransomware.
No specific mention of the ransom
Among the criticisms heard, the text voted by Parliament no longer specifically mentions the payment of a ransom, which is now included in the broader set of losses and damages. A job of rewriting which shows that the initial drafting of the provision by the government had been botched.
In the end, the case is quite disappointing. Rarely have MPs and senators taken so much time to debate a piece of legislation relating to the fight against cybercrime. However, its effects seem very limited. As professionals point out, the provision will only affect very few organizations for the moment, given the very low rate of cyber insurance subscription.