On Thursday 25th July, the French data protection authority, the CNIL, announced that it has issued a fine of €180,000 against insurer Active Assurances, on the basis that the company had “breached its obligation to secure personal data provided for by Article 32" of the GDPR. As a reminder, article 32 of the GDPR requires organizations to implement "appropriate technical and organisational measures to ensure a level of security appropriate to the risk".
So what happened here? In 2018, a customer alerted the CNIL that he was able to access personal data of other customers, including their driver’s licenses, registration cards and bank identification records, simply by changing the numbers at the end of the URL in the browser. The French national agency for the security of information systems (ANSSI) also notified the CNIL that it was possible, without any authentication, to access personal data of customers stored on the website of the company through a search on the search engine DuckDuckGo. The CNIL notified the company, which agreed to take corrective measures to protect its customers’ data. However, when the CNIL conducted an on-site inspection, it found that the measures taken were insufficient to prevent customer accounts being indexed by search engines: according to the CNIL, the company should have prevented search engines from indexing pages and documents containing personal data, for example through the use of a "robot.txt" file. In addition, it was the company who set the passwords of all customers, and the CNIL did not consider the passwords to be complex: they were in each case the birthdates of the relevant client and this fact was also clearly stated on the login page. In addition, whenever an account was created, the usernames and passwords were sent by email and mentioned in clear text. As a result, the CNIL concluded that the company failed to comply with its obligation to protect its customers’ personal data. The CNIL said that when calculating the fine, it took into account the nature of the data and documents involved (identity documents, information relating to infringements and bank details) as well as the number of affected persons.
This decision follows the CNIL's announcement last month (6th June 2019), that it issued a fine of 400,000 euros against Sergic, a French real estate service provider, for a) failure to implement appropriate security measures and b) failure to define appropriate data retention periods for the personal data of unsuccessful rental candidates. According to the CNIL, the company did not have in place a prior authentication procedure for the access and download of documents on the company's website, allowing users of the website to access data relating to other individuals by slightly amending the URL displayed in the browser bar. In particular, the CNIL stated that an authentication procedure is "a basic security measure" which should have implemented. The CNIL had also imposed at the end of December 2018 a fine of 250,000 euros against Bouygues Telecom for failure to protect the personal data of the customers of its mobile package B&YOU: according to the CNIL's findings, third parties could access contracts and invoices of B&YOU customers by simply altering the URL address on Bouygues Telecom’s website.
Likewise, the Dutch data protection authority (Autoriteit Persoonsgegevens) had announced on July 16 that it has imposed a fine of €460,000 on a Dutch hospital under Article 32 of the GDPR. The Dutch data protection authority found that the hospital had taken insufficient security measures as it had not implemented appropriate access controls and did not have at least a two-factor authentication system in place (i.e. the identity of a user should be verified using a code or password together with a staff pass). The investigation was initiated after dozens of hospital staff had apparently unnecessarily checked the medical records of a well-known Dutch person.
So what do all these cases mean for organizations? Data protection authorities are increasingly active in enforcing security measures and there is no need for a large number of impacted individuals for an investigation to be launched: an investigation can also be initiated following the complaint of a single individual, as shown by both the Dutch and the French case. Appropriately restricting access to personal data is one of the key concerns for authorities. In addition, the fact that the French national agency for the security of information systems (ANSSI) notified the CNIL about its findings demonstrate that regulators are increasingly working together when conducting their investigations.