The urgency of a crisis and the specific context of an IT incident mean that we must not fall into the trap of rushing into action. Employers need to take into account a number of rules and precautions to ensure that the rights of employees are respected as far as possible, particularly with regard to their right to privacy.
The resolution of a cyber crisis may require technical teams to intervene on the computer of one or more employees in order to investigate the origin of the incident (sampling of event logs, analysis of a malicious attachment, etc.). At this stage, even if the suspicion is directed at an employee’s workstation, that employee is not necessarily considered to be at fault. It is possible, for example, that a third party has fraudulently gained access to the computer.
A distinction should be made between investigations aimed at the technical resolution of the crisis and those aimed at gathering evidence against an employee. Therefore, it is specified here that the question of the use of evidence gathered during the investigation to establish the employee’s liability in the event of a sanction by the employer or a labour dispute is not addressed.
During a cyber crisis, can the employer check the contents of the employee’s work computer and/or hand it over to the company’s technical teams for investigation?
I- Mandatory compliance before examining an employee’s computer
Necessity of a legitimate reason and proportionality to the objective pursued
The law requires an employer to have a legitimate reason for monitoring an employee’s computer. The monitoring must be justified and proportionate to the objective pursued. Mere curiosity on the part of the employer is therefore not sufficient to constitute a legitimate reason ;
The need to ensure the security of the computer network – in particular to resolve a cyber crisis – appears to be a legitimate reason.
In conclusion, the need to remedy the incident in the case of cyber crisis management appears to be proportionate and constitutes a legitimate reason for the employer to access the contents of the computer.
Prior checking of the IT charter/house rules/corporate policies and procedures
The CNIL (Commission Nationale de l’Informatique et des Libertés (French Data Protection Authority) – recommends that the procedures for accessing data stored in an employee’s IT environment should be defined in advance, in consultation with employees, and communicated to them ;
It is advisable to check whether this situation has already been regulated by an internal charter or memos.
If the company has one, provisions can be included in the IT charter. These may include specific procedures for accessing the contents of employees’ hard drives.
In conclusion, if your company has an IT charter, you should make a point of reviewing it. If it doesn’t, it could be an opportunity for the company to improve, particularly by including specific provisions in the event of a cyber crisis.
No employee authorisation required for computer searches
- The employee’s permission is not required to access his or her work computer. The same applies to any peripherals connected to the computer that are considered to be work-related (e.g. a USB stick).
No obligation to summon employee in case of extreme urgency
- Employees are not required to be present to work on their computer in the event of an emergency, i.e. a “specific risk or event”. 
- However, the assessment of this urgency could be questioned a posteriori. For this reason, it would be preferable to wait until the employee is present, or at least to give him or her advance notice if possible.
II – Investigation of an employee’s computer by technical teams and/or the employer
Once the necessary checks have been carried out and the legal framework defined, the investigation can begin. Depending on the situation, it may be advisable for at least two people (HR, DPO, mandated expert, etc.) to investigate.
In addition, if the employer or technical team needs a password to access the employee’s computer, the employee is obliged to provide it. 
Care must be taken when examining an employee’s computer
1) The need to distinguish between the employee’s personal and work files/emails
- In principle, messages sent or received on the company e-mail system are of a professional nature. The employer is therefore entitled to read them in the employee’s absence. In addition, folders and files created by the employee on the computer provided by the employer are also presumed to be of a professional nature. 
- However, if a file/folder or the subject of an e-mail is marked ‘personal’ or ‘private’, the employer must not access it, as it must respect the confidentiality of correspondence. 
- However, in the event of a specific risk or event, case law has maintained the possibility for the employer to access these documents. Presumably, this also applies to cyber crisis management, but there is no case law to support this. In addition, the internal rules may contain provisions that limit the employer’s right of access by making it subject to other conditions, such as the need for the employee to be present. 
- It is also possible for the employer to make a complete copy of the employee’s hard drive in the employee’s absence. The hard drive can then be entrusted to an appointed expert who will exclude from his report any documents identified as personal. If it is necessary to preserve evidence, it is advisable to call in a bailiff to draw up a report, accompanied by the expert in question.
2) The role of the network administrator
- If the security of the computer network so requires, the network administrator may read all employees’ emails, regardless of their personal/private nature. However, they may not disclose the contents to the employer. This is therefore a possible investigative tool to resolve the crisis technically and not to gather evidence against the employee.
- However, the CNIL specifies that such access “can only be justified in cases where the proper functioning of computer systems could not be ensured by other, less intrusive means”.
3) Presumption of professional nature of connection data
- An employee’s connection data (history, favourites, etc.) are considered to be of a professional nature if they have been created using the IT tool provided by the employer for the performance of the employment contract. The employer may therefore consult them without requiring the presence of the employee. 
A reminder of the network administrator’s duty of confidentiality
- On 17 December 2001, the Paris Court of Appeal ruled that: “It is the function of network administrators to ensure the normal operation of networks and their security, which means, among other things, that they must have access to messages and their content, if only to unblock them or avoid hostile action” ;
- Network administrators are therefore bound by professional secrecy, particularly if they are likely to become aware, voluntarily or otherwise, of private correspondence or personal files of employees.
- This duty of confidentiality can be set out in the company’s IT charter and in the network administrator’s contract of employment.
Investigations on an employee’s computer must therefore be carried out with particular care. They should not be rushed to ensure that the employee’s rights are respected. It may also be advisable to consult a specialist lawyer.
Want to train your organisation in cyber crisis management?
 Court of Cassation, Social Division, 17 May 2005, No. 03-40.017: The employee does not have to be summoned in the event of a “particular risk or event”.
 Court of Cassation, Social Division, 18 March 2003, No. 01-41.343
 Court of Cassation, Social Division, 18 October 2011, no. 10-26.782
 Cour de cassation, Labour Court, 2 October 2001, “Nikon”: Employees are entitled, even at work, to respect for the privacy of their private lives, including the confidentiality of correspondence.
 Court of Cassation, Social Division, 26 June 2012, no. 11-15.310
 CNIL. Guide for employers and employees, 2008, p. 22.
 Court of Cassation, Social Division, 9 July 2008, no. 06-45.800