The French data protection authority, the CNIL, continues to fine organizations for failing to adopt what the CNIL considers to be fundamental data security measures. In May 2019, the CNIL imposed a EUR 400,000 fine on a French real estate company for failing to have basic authentication measures on a server and for retaining information too long. This is the second fine by the CNIL under the EU General Data Protection Regulation 2016/679 (GDPR) after the one against Google. The decision is among many pre-GDPR fines imposed by the CNIL for failing to meet security standards, and shows that data security continues to be a high enforcement priority for the CNIL.
Background
French real estate company Sergic operated a website where individuals could upload information about themselves for their property rental applications. Responding to a complaint by an applicant, the CNIL investigated Sergic in September 2018, as it appeared that applicants’ documents were freely accessible without authentication (by modifying a value in the website URL). The CNIL confirmed the vulnerability and found that almost 300,000 documents were accessible in a master file containing information such as individuals’ government issued IDs, Social Security numbers, marriage and death certificates, divorce judgments, and tax, bank and rental statements. The CNIL also discovered that Sergic had been informed of the vulnerability back in March 2018 but did not fix it until September 2018.
Findings
As a result, the CNIL held that Sergic had failed to ensure:
- Data security: According to the CNIL, a vulnerability (lack of authentication) is an essential requirement to significantly reduce the risk of a data breach occurring, and is one of the most widespread problems; the CNIL has already issued several public fines for cases with similar facts (see this page of the CNIL’s website, for example). This vulnerability does not require any particular computing mastery to exploit – only changing a value in the website URL. The infringement was aggravated by the sensitive nature of the data and by Sergic’s lack of diligence in remedying the security failure (i.e., it took six months to remedy). The fact that no individual was harmed, did not change the result of the CNIL’s decision.
- Storage limitation: The CNIL also held that, if the processing purposes had been reached, personal data would either have to be deleted or archived (i.e., moved to another logically separated section of the active database or to an archiving database); but Sergic did not purge the applicants’ documents.
As a result, the CNIL imposed a EUR 400,000 fine. Unfortunately, the CNIL (again) did not explain how it determined the actual fine amount, other than stating that the fine was justified and proportionate. It is interesting to note that it appears that the CNIL’s rapporteur initially requested a EUR 900,000 fine. Why (and how) the CNIL ultimately reduced the fine to less than half of that amount is not indicated.
Below are a few good practices to consider, given the GDPR and CNIL enforcement activity.
Security and retention good practices in France
Security
- Check the CNIL’s guide on data security, available in French and English.
- Check the CNIL’s guidance on password hygiene, available in French and in English.
- Check other security guides, such as those produced by the French National Authority for the Security of Information Systems, available in French.
- Check security guidance issued in other countries (e.g., the U.S. Federal Trade Commission’s guide for business and security guides from the Australian, Spanish, and U.K. data protection/cybersecurity authorities).
- Don’t reinvent the wheel – leverage your security program across the many areas where the GDPR applies (e.g., data protection impact assessments, privacy by design, record keeping, data breaches, transfers, audits, and processor/processing agreements). Consider also how to repurpose security practices flowing from legislation from other sectors and regions.
- Be prepared (e.g. with the right people, resources, and response plans), responsive, and don’t work in silos – this is especially true when a data breach occurs. Consistent, efficient, and swift communication and action, internally and externally, are key.
Storage limitation
Check legal statutes of limitation, as well as regulatory guidance. For example, CNIL guidance on specific topics (e.g., biometric access controls, HR management, and customer relationship management) may contain explanations of retention periods.