At the end of 2018, a company received an anonymous email saying asking to pay an amount of one million euros to various bitcoin accounts. The attacker claimed to have a lot of confidential information of the company.
After investigations, including petitions to the court to identify the attacker, the victim company identified one of its former employees (its technical director) and filed a complaint against him. The former collaborator admitted the facts. In December 2019, the correctional court of Nanterre (France) sentenced him to six months suspended imprisonment and a fine of 10,000 euros for:
- access and maintenance in the company’s data processing system
- fraudulent data extraction
- attempted extortion of funds
In January 2020, the correctional court of Nanterre ruled on civil interests and further ordered him to pay a sum of 10,000 euros for moral damage and 315,000 euros for material damage (costs relating to the procedure of declaration of data breach with the CNIL, crisis communication, search for technical evidence, legal costs). The former employee appealed against this judgment.
In a judgment of June 30, 2021, the Versailles Court of Appeal overturns the judgment of the criminal court.
First of all with regard to the material damage, the Court of Appeal held that the company did not provide proof that it itself had borne the costs associated with the ransomware.
With regard to moral damage, the Court of Appeal does not question the compensation for such damage for a legal person (already recognized by case law). On the other hand, it rejects compensation for damage caused by anxiety, recalling that such damage only benefits natural persons. In order to benefit from reparation for its damage to its image, the company would have had to demonstrate a degradation of its reputation or its image with its customers.