France's CNIL Calls for Cybersecurity RecommendationsRegulator Will Publish Guide for Organizations That Process Data on a Large Scale
The French data regulator is calling on operators of large-scale databases to shore up cyber defenses against a slew of threats including nation-states and sophisticated hackers capable to exploiting the supply chain or zero-day flaws.
In a consultation opened Monday, the National Commission on Informatics and Liberty - known as CNIL - named the energy, transport, banking and insurance sectors, internet service providers and government agencies as collectors of sensitive data that should be mindful of the need to safeguard their digital infrastructure against advanced threats.
CNIL said the purpose of the consultation is to establish a set of recommended advanced security practices for organizations engaged in large-scale data processing where a data breach would have significant consequences for individuals, the state or society. The consultation is open until Oct. 8. CNIL intends to publish the recommendations next year.
CNIL opened the consultation just days after French employment agency Pôle emploi announced a breach that outside cybersecurity experts said was a result of late May's mass hacking of MOVEit file transfer software (see: Victims Sue Financial Firms Over MOVEit Data Breaches). French newswire AFP reported the breach likely affected more than 10 million French residents.
CNIL already recommends organizations have a designated data protection and security officer, in addition to the chief information security and data protection officer.
The agency also suggests that organizations have a breach response policy. In addition to stemming any breach swiftly, the policy should spell out response requirements for probable data breach risks, CNIL said.