6. Cybercrime and IT systems failures
The digital marketplace is expanding at a rapid pace, and the reliance on information technology has never been greater. This dependence repsents risks for the Groupe, such as a malicious attack, technical failure, or internal threats that could lead to an interruption of services, the loss of personal data, or the loss of data integrity or disclosure of confidential information.
Systems failures can be the result of malicious events, natural events and technical breakdown. These failures may directly impact the Groupe or one of its partners or suppliers. This can potentially lead to long periods of malfunction and impede the Groupe’s ability to serve its clients.
Malicious activities may take the form of denial-of-service attacks, or as generic or targeted ransomware-type attacks that directly impact the Groupe’s infrastructures or the systems of its suppliers or partners. 2020 marked an acceleration and a significant professionalization in the context of the pandemic and the major changes in the way of working. These attacks have the ability to obstruct normal business operations and even suspend them momentarily, while infecting client deliverables and even their own network environments, causing significant damages.
The increased use of outsourced software and IT infrastructures (Cloud Computing) extends the Groupe’s “attack surface” and complicates securing data and tools.
Insider threats, although normally not malicious, can also be seriously detrimental to normal business operations. Untrained or uninformed staff can unwittingly share sensitive or personal information, or innocently fall prey to a variety of cyberattacks (targeted or other phishing, CEO fraud, etc.). The malicious or disgruntled insider, even though this situation is rare, can also inflict serious reputational or financial damage by voluntarily releasing confidential and sensitive information or by committing acts of sabotage resulting in technical failure.
These risks of cybercrime and information system failures can have adverse consequences, including in terms of costs (cost of remediation, contractual penalties due to clients, fines or liability claims), loss of revenue or loss or reputation for the Groupe.
7. Personal data confidentiality
Advertising and communication activities involve the processing of a significant volume of personal data. Regulations governing personal data protection are complex, constantly evolving, differ from country to country and generate significant and growing compliance costs. European supervisory authorities are evidencing increased vigilance by imposing penalties that are increasingly significant. Control policies, regulatory interpretation and restrictions on cross-border data transfers are becoming increasingly stringent. The European Union also introduced regulations which affect the advertising and marketing industry with the ambition of turning the European Union into a single digital market and “creating a safer digital environment which protects consumers’ fundamental rights and establishes fair competition conditions for companies”. This is the Digital Services Act, the Digital Markets Act, Data Governance Act and ePrivacy regulation.
Since the implementation of the General Data Protection Regulation (EU) 2016/679 of April 27, 2016 of the European Union (GDPR), an increased number of countries across the globe are adopting personal data protection regulations. In the absence of a federal regulation in the United States, California adopted the California Consumer Privacy Act (CCPA), which came into force in January 2020; it was supplemented in October 2020 by the California Privacy Rights Act (CPRA) which came into force in January 2023. The CCPA provides consumers a right to opt-out, allowing them to suspend the sale of their personal data. The CPRA strengthens the requirements in connection with how companies are authorized to use personal data of consumers in California. Other US states have adopted or are on a path to proposing their own draft laws on the protection of personal data, which, if passed, will continue to make the situation complex by further fragmenting the legislative landscape. A draft federal law on the protection of personal data could be reintroduced in 2023.
In 2021, Brazil and the People’s Republic of China passed their personal data protection laws. In 2022, other countries such as India, Australia and Saudi Arabia introduced more substantial laws on personal data protection.
Any unauthorized loss or disclosure of personal data may lead to significant damages for the persons concerned, who may sue the Groupe. The Groupe, which deals with an increasing quantity of personal data, could be subject to increased scrutiny by supervisory bodies. Any breach of applicable regulations may, on top of any liability suits and sanctions against the Groupe, including pecuniary penalties, create a loss of client confidence and have a an adverse impact on the Groupe’s reputation and activities.