At the beginning of the year, Isabelle Falque Pierrotin indicated that 80% of inspections revealed weaknesses concerning data security.
The security of personal data is a basic principle of data protection (1).
It is also an obligation of the General Data Protection Regulation (GDPR). Any organization that processes personal data must implement appropriate technical and organizational measures to guarantee a level of security adapted to the risk for the rights and freedoms of individuals.
The violation of a basic principle or an obligation of the GDPR is liable to financial sanctions of several million euros not to mention the impact on the image and reputation of the company in case of publication of the sanction.
Yet in most cases IT security is not the company management’s primary concern and the ROI associated with security expenses is a long-running story.
The comparative analysis of deliberations delivered by the French Data Protection Authority (CNIL) and the terms of the GDPR leads us to believe that companies underestimate the risks of sanctions linked to a data security breach.
1st mistake: “The probability of being the subject of a control by the CNIL is low”.
The security obligation is closely linked to the obligation to notify and communicate violations of personal data to the authority and to the data subjects where appropriate. This obligation to notify a violation of personal data is an “obligation to achieve a fixed result” (2); since May 25th 2018, companies in the telecommunications sector are no longer the only ones concerned since this obligation has been extended to companies in all sectors of activity.
– In practice, it is often at the occasion of a security breach (illegitimate access to data) of which the French Data Protection Authority has direct or indirect knowledge (notification, denunciation, information by the media), that it conducts invesigations and finds non-compliance with the obligations.
Today, however, no company is immune from a cyber-attack, negligence or a security breach involving its Processor.
– Moreover, any data subject has the right to assign an institution, an organization or a non-profit-making association to lodge a complaint on his behalf with a supervisory authority and/or an effective judicial remedy against a Data Controller or Processor and to exercise his right to recover compensation. Noyb (3), la Quadrature du Net (4) , UFC Que choisir (5) , to name but a few, have already initiated actions concerning personal data protection, and this type of requests should increase.
2nd mistake: “in case of control, it will be enough to collaborate with the CNIL and to be reactive to avoid a sanction”.
The responsiveness and cooperation of the company being controlled are essential and the CNIL does not fail to mention this in its deliberations, but this should not prevent it from imposing financial sanctions for several reasons detailed below:
There are basic safety measures. The absence of preventive and control measures therefore constitutes a non-compliance with the terms of the Data Protection Act and the GDPR.
– Regarding the production of new website functionalities, the CNIL regularly stresses the importance of carrying out a complete test protocol before (6) a website is put into production and of conducting regular controls of security measures after the deployment of websites. Thus, the structure of the url must not include an identifier, nor allow to identify or predict the access path to the registered files (see for example the deliberations of the CNIL against the companies Optical Center, Web Edition, Darty & Fils, ADEF (7), Ouicar), nor include the secret authentication as was noted in the case against the Socialist Party.
– The CNIL has also just pointed out that the exposure of personal data without authentication or other prior access control has been identified for many years as part of the security holes that must be verified: see ADEF , Web Edition (8), Optical center. Similarly, when access to data (e.g. video surveillance images) is not secured with a sufficiently strong username and password (9).
– Passwords must not be kept or transmitted in clear but in a secure manner: for example, the CNIL reproached Daily Motion (10) for keeping the password permanently written in clear in the source code so that the service account can connect. During an audit of the company Allocab (11), the French Data Protection Authority denounced the transmission in clear text of the user ID and password.
– Connections and data flows must be secured: Genesis Industries Ltd (12) was sanctioned for transmitting messages via an unencrypted http protocol between users and toys; access to user account login pages and access to pages containing a personal data information form must be secured in https (13). Connections to a payment platform must be traced (14).
– The Bluetooth communication device must be secured (e.g. by a pairing button, PIN code or authentication) (15) .
– The remote connection must be secured, for example by IP address recognition or VPN, as reminded to Daily Motion.
– The most sensitive data must be stored in a sufficiently secure manner:
– Encryption must comply the state-of-the-art: in its deliberation against the Socialist Party, the Commission noted that the data were hashed in unsalted MD5;
– Protection of secrecy: salt must be kept in a separate area from the one where passwords are stored;
– Credit card numbers must not be kept in clear with cryptograms (16).
– Access to data must be strictly limited to those who need to know it: Cdiscount has thus been sanctioned because of the access by all providers to bank data in clear text;
During the CNAMTS audit, the CNIL found that SNIIRAM users and Processors had illegitimate access to the data (17).
– Finally, from 2012, the CNIL indicated that “it is pointless to want to impute to the software publisher […] its default setting criteria, whereas it is up to the Data Controller to adapt the conditions of use of this software to its own population” (18).
Certain elements related to data processing constitute aggravating factors of a breach of the security obligation
Since before 2018, the CNIL has always taken contextual factors into account when imposing sanctions.
The GDPR states that in deciding whether to impose an administrative fine and the amount of the administrative fine, account shall be taken, inter alia, of the nature, gravity and duration of the violation, whether the violation was committed deliberately or negligently, and of any measures taken by the organization to mitigate the harm suffered by the data subjects, the technical and organizational measures implemented, the degree of cooperation with the supervisory authority, the categories of data concerned, the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the breach was notified to it.
As early as 2012, the Commission stressed the fact that the “risk had to be weighed against the fact that the company holds the valid bank details of some ten million people” (19).
In the sanction pronounced against Daily Motion, the CNIL has considered the volume of data (82.5 million e-mail addresses) although the attack suffered by the company could have been qualified as sophisticated and the number of categories of data is reduced thanks to encrypted passwords which limited the risk of invasion of privacy of the data subjects.
The CNIL also considers the sensitivity of the data: information likely to reveal political opinions (20), Social Security number and health data (21), financial elements covered by banking secrecy (22).
Finally, the Commission stressed that the vulnerability of the public (children) should be considered (23).
Through its sanctions, the CNIL also wishes to inform and raise awareness among the public and stakeholders in the sector
Already in 2012 (24) the French authority noted “the importance of informing the public of the follow-up given to this affair, which had received significant media resonance”.
In the formal notice served on CDiscount (25), the CNIL mentioned the “need to raise awareness in the commercial sector of distance selling”.
More recently (26), the French Data Protection Authority (CNIL) wanted to highlight “the current context in which security incidents are multiplying and the need to make Internet users aware of the risks weighing on the security of their data”.
3rd mistake: Believe you are safe because there is necessarily a security policy in the company
The security obligation is combined with the obligation to document and demonstrate that the processing is carried out in accordance with the Regulation (accountability). In practice, this means not only the definition and implementation of security procedures, but also their effective application and regular updating. In a decision rendered in 2012, the CNIL’s limited panel stated that “it is pointless for the company to seek to avoid its liability by invoking supposed preventive procedures in this matter (ISO 27001 safety procedure, requirements of CRBF Regulation 97-02)” (27).
4th mistake: “it is the subcontractor who will be responsible”.
According to the GDPR, the controller only uses processors who offer sufficient guarantees as to the implementation of appropriate technical and organizational measures, in particular concerning data security.
The CNIL has on several occasions ruled on the liability of an organization due to its subcontractor, noting the following points:
It is advisable to trace and document exchanges with the Processor:
The informal nature of exchanges between the company and its Processor may make it more difficult for the Data Controller to monitor the actions taken by his Processor, the corrective measures taken by the latter and any recommendations that may be made (28).
The intervention of a provider creates an additional responsibility for effective control of the provider’s actions (29) and the solutions used by the provider.
– Orange has been informed that the Data Controller cannot minimize his liability by using several Processors.
– The company was also accused of not having conducted a security audit on the version of the technical application developed by the Sub-Processor.
– Darty should have had all modules unnecessarily implemented by his Processor in his off-the-shelf solution disabled and checked for product features.
– The fact of not imposing specifications on its Processor in charge of developing a website constitutes negligence on the part of the company in monitoring the actions of its Processor (30).
– Finally, the controller must regularly monitor the resolution of the data breach with his Processor (in this case Darty has not established proof of daily requests).
The provision of the service must be the subject of a contract governing the Processor’s obligations in terms of security and confidentiality of personal data:
– In its decision against Orange, the CNIL noted the absence of a security clause imposed on the secondary provider.
– More recently, this failure was noted in two decisions made public in 2017 and 2018 (31).
So why is it urgent to guarantee the security of personal data?
Taking preventive measures and regularly monitoring their effectiveness means limiting the risks associated with security breaches, whether they involve a sanction by the French Data Protection Regulation, legal action by the persons concerned, or attempts at extortion by cybercriminals.
(1)According to Article 5(f) of the GDPR: personal data must be processed in such a manner as to ensure adequate security of such data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organizational measures (integrity and confidentiality).
(2) CNIL Deliberation, August 7th 2014: warning against Orange.
(6) CNIL Deliberation of July 18th, 2017: €40K sanction by the CNIL against Hertz.
(7) CNIL Deliberation, June 21st 2018: sanction of €75k against the Association pour le Développement des Foyers.
(8) CNIL Deliberation, November 16th 2017: sanction of €25k against Web Edition.
(9) CNIL Deliberation, July 15th 2017: sanction of 1000€ against BDE; CNIL Deliberation, July 2nd 2018: formal notice served on the Institut des techniques informatiques et commerciales.
(10) CNIL Deliberation, July 24th 2018: sanction of €50K against Daily Motion.
(11) CNIL Deliberation, April 13th 2017: sanction of15K against Allocab.
(12) CNIL Deliberation, November 20th 2017: Genesis Industries Limited receives a warning from the CNIL.
(13) CNIL Deliberation, Juy 7th 2016: sanction of €30K against BrandAlley.
(14) See Parti Socialiste.
(15) See Genesis Industries Ltd.
(16) CNIL Deliberation, July 9th 2012 : Fnac receives a warning from the CNIL; CNIL Deliberation, September 20th 2016: formal notice served on CDiscount.
(17) CNIL Deliberation, February 8th 2018: formal notice served on CNAMTS.
(18) CNIL Deliberation, June 21st 2012: Euro-Information (Crédit Mutuel group) receives a warning from the CNIL.
(19) See Fnac.
(20) CNIL Deliberation, October 13th 2016: the Parti Socialiste receives a warning from the CNIL.
(21) CNIL Deliberation, May 7th 2018: sanction of €250k against Optical Center.
(22) See Euro-Information.
(23) See Genesis Industries Ltd.
(24) See Euro-Information.
(25) See CDiscount.
(26) See Optical Center.
(27) See Euro-Information.
(28)See Optical Center.
(29) CNIL Deliberation, January 8th 2018: sanction of €100K against Darty.
(31) CNIL Deliberation, August 30th 2017: formal notice served on the Ministry of Higher Education, Research and Innovation; CNIL Deliberation, June 25th 2018: formal notice served on Teemo.