We wrote several months ago about the imposition of fines by the French data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés) for data protection breaches. Recently CNIL has imposed more fines, including for violation of standards for secure processing of personal data on a website.
The case involved an auto insurance broker. On the broker’s website, users could request a calculation of insurance premiums, conclude an insurance contract, and log on to their account, where various types of personal data were accessible, such as bank statements and information about driving-licence suspensions or convictions for traffic violations.
CNIL’s inspection of the company operating the website followed a notification from a user of such an account, who alleged that he could access the accounts of other users by changing certain elements of the link to his own account and pasting it into his web browser. After verifying this information, CNIL notified the company and demanded that it take certain remedial measures.
A subsequent inspection by CNIL showed that the remedial measures taken by the company were insufficient to prevent access to users’ accounts by unauthorised persons, and that after opening of an account the login and password were sent to users by email and stated in the contents of the email.
Consequently, CNIL found that the company had violated Art. 32 of the General Data Protection Regulation, i.e. the duty to implement appropriate technical and organisational measures to ensure the safety of personal data. CNIL pointed out that the company was required to design its website so that a user’s account could be accessed only by that user. The possibility of accessing users’ accounts at the level of the web browser was impermissible. The company was also obligated to require users to create stronger passwords.
CNIL imposed a fine of EUR 180,000 on the company. In setting this amount, the authority took into account the seriousness of the breach, and nature and purpose of the personal data (personal identification documents, data concerning criminal offences, and data from bank statements), and also the large number of persons affected by the breach. On the other hand, the company’s quick response upon learning of the breach and its cooperation with CNIL weighed in the company’s favour.
The methods for securing personal data by entities operating on the internet often fall short of the applicable data protection regulations, particularly in terms of technical protection against access to the data at the level of web browsers. The actions taken by the French data protection authority may encourage entities processing large quantities of personal data of persons opening accounts on their websites to begin paying closer attention to ensuring that the security measures they employ are sufficient for compliance with the GDPR.