In the digital age, information system security has become a priority issue for businesses, public institutions, and even non-profit organizations. Cybercrime continues to grow, and cyberattacks such as ransomware affect organizations of all sizes. Faced with this ever-present threat, companies can no longer rely on simple technical measures. They must structure their approach to cybersecurity, which includes implementing IT charters. Far from being mere administrative formalities, these documents are at the heart of protection mechanisms. Through a summary ofthewhite paper "IT Charters in Business" in partnership with the law firm Racine and Eric Barbry, a lawyer specializing in internet law, we explore why these charters have become indispensable, how they fit into a rigorous legal framework, and how they can be adapted to meet new technological challenges, particularly those posed by artificial intelligence (AI).
The IT charter: a legal and practical obligation
The legal framework of the IT charter
While some companies are still hesitant to adopt an IT charter, they are faced with an unavoidable legal reality. French law requires all companies with more than 50 employees to have internal regulations, which must include rules on discipline and security applicable to employees. This includes the use of digital tools provided by the company, such as computers, software, mobile phones, etc. IT charters, although not always specifically mandatory, help formalize these rules and ensure maximum security for information systems.
Furthermore, case law confirms the importance of these documents. For example, in a 2006 ruling, the Court of Cassation considered that an employee who had attempted to log in using a colleague's login details had committed serious misconduct justifying his dismissal, due to a violation of the IT charter in force. In other words, these charters are recognized as legal tools for regulating employee behavior with regard to the use of IT tools, and their absence can weaken the employer's position in the event of a dispute.
Adapting charters to the reality of the company
IT charters are not a one-size-fits-all tool that can be applied uniformly to all companies. On the contrary, they must be tailored to the specific needs of each organization. A start-up working in a sensitive sector such as cybersecurity may have a very strict and detailed charter, while an SME in the distribution sector may adopt a lighter charter. The key is that the content of the policy addresses the specific risks faced by the company.
A good policy must be flexible enough to evolve with technology. For example, traditional IT policies often define rules for password management: minimum length, complexity, frequency of change, etc. However, this approach is already outdated due to the growing use of multi-factor authentication (MFA) and biometric technologies. As such, a policy that is too rigid risks becoming obsolete quickly. The charter's author must adopt a flexible approach, focusing on security principles rather than specific technological requirements that may change over time.
Managing cyberattacks: awareness, training, and regulation
Awareness: the first line of defense
It is now well documented that most cyberattacks exploit human error. Phishing, for example, remains one of the main vectors for ransomware infection. Employees, often the weak link in the security system, are the primary target of cybercriminals. This is why awareness is paramount. IT charters must include clear rules regarding the use of digital tools, but also on the behaviors to adopt to avoid compromising the organization's security.
Awareness can be raised in several ways: communication campaigns, e-learning training, MOOCs, or even face-to-face workshops. The goal is to create a genuine culture of cybersecurity within the company, where every employee understands their role and the risks associated with their actions. Depending on the size and sector of the company, IT charters must be adapted to different levels of risk. In a B2B environment, for example, the risks may be lower than in a B2C environment, where personal data regulations, such as the GDPR, impose very strict security standards.
Training: adapting skills to risks
Beyond raising awareness, training is essential. It is not simply a matter of informing users about best practices, but of providing them with skills tailored to their responsibilities. Network administrators, for example, will need more advanced training than end users. IT charters must therefore provide for specific training for the various roles within the company. HR teams, for example, must be trained in personal data protection, while technical teams must focus on securing systems and using advanced protection tools.
It is essential to take a job-by-job approach to training. A well-trained organization is one that minimizes the risk of human error.
Regulation: control and sanctions
One of the key roles of IT charters is to establish clear rules on how digital tools should be used, but also on the controls that can be exercised. In France, the 2001 "Nikon" ruling set strict limits on the monitoring of employees, particularly with regard to the private use of professional tools. Reasonable private use is permitted, but it must be supervised and proportionate. IT charters make it possible to clearly define the conditions under which an employer may access private files or emails when necessary, for example for security reasons.
Regulation must also include mechanisms for sanctions in the event of non-compliance with the rules. An employee who misuses the company's IT resources or jeopardizes the security of its systems must be aware that they may face sanctions, including dismissal.
Cyberattacks: Victim or culprit?
Here is a key question for businesses: in the event of a cyberattack, are you the victim or the perpetrator? The answer largely depends on how well the organization has prepared and protected its information systems. If a company has not implemented the necessary security measures, it may be held liable for the damage caused by an attack, particularly if personal or confidential data is compromised. IT charters play a crucial role here, as they formalize the security measures that the company puts in place, as well as the responsibilities of each individual.
Failure to comply with these charters can result in severe penalties, not only for employees, but also for the company itself, particularly in terms of legal liability. A company that falls victim to a cyberattack could be accused of negligence if it has not taken the appropriate measures to secure its systems.
Specific charters: administrators, remote working, and AI
Administrators' Charter
The white paper highlights the need for specific charters for certain types of users, particularly system or network administrators. These users have more extensive access rights than other employees and, if abused, can cause considerable damage. That is why it is essential to define strict rules regarding their rights and obligations. Administrators must comply with enhanced confidentiality and security standards and may not use their access privileges for personal or illegal purposes.
These charters must also provide for appropriate sanctions, as directors represent both a risk and an opportunity for the organization. In the event of serious misconduct, they may be held liable, both disciplinarily and legally.
Teleworking policy
Teleworking, which has been widely adopted since the COVID-19 pandemic, also poses new security challenges. Teleworking charters must regulate the use of IT tools at home, particularly with regard to access to company information systems from personal networks, which are often less secure. It is essential to adopt specific rules to ensure the protection of data and systems, even when working remotely.
AI Charter: Mastering Artificial Intelligence
The introduction of artificial intelligence (AI) in businesses has disrupted many sectors, but it also raises complex questions about security and privacy. The white paper recommends the adoption of specific charters to regulate the use of AI tools, such as ChatGPT or MistralAI, which are increasingly being used by employees.
These charters must clarify the rules for using AI, particularly with regard to the processing of personal data. Employees must be informed of the risks associated with using these tools.
For more information, please refer to the detailed white paper.
