On July 18, 2019, in its role as the guardian of personal data, the French Commission Nationale de l’Informatique et des Libertés (“CNIL“), fined an insurance broker 180,000 euros and issued an order to publish the decision stating the sanction.
On What Grounds ?
The lack of security to access personal data of clients via the delinquent company’s website, included nearly 148,000 telephone numbers, 144,000 e-mail addresses, 145,000 copies of car registration documents, 138,000 copies of driver’s licenses and 120,000 bank statements. And a much greater amount of information about the person concerned such as first and last name, mailing address, e-mail address, date and place of birth and bank details.
In Concrete Terms?
On June 1, 2018, the CNIL was informed that the personal data of clients of the Company in question were freely accessible on the Internet.
An audit conducted online by a CNIL delegation revealed a security flaw in the website of the Site publisher, which was responsible for processing the personal data in question, and the resulting data breach.
Notwithstanding the measures taken promptly by the Company concerned to remedy the security breach identified by the audit delegation (e.g. encryption of URL addresses allowing the stored documents to be viewed), a new audit identified a continuing security flaw, in the form of continued access by third parties to pages containing the personal data of some of the audited Company’s clients.
It was in this context that the CNIL’s sub-commission fined the Company in question, after considering that it had failed to fulfil its obligation to ensure the security and confidentiality of personal data as provided for under the French Data Protection and Freedom of Information Law.
The CNIL’s decision highlights certain security measures that it considers to be fundamental for data security, and which should to be made before any site is developed.
First of all,
When a request to access a resource is made to a server, the server must first verify that its sender is authorized to access the requested information. This verification can be carried out by means of an authentication measure and access rights management to ensure that each user who wishes to access a document is entitled to consult it.
In the present case, however, third parties were able to freely consult the client documents registered by the company, with no restrictions preventing them from doing so.
Measures must be put in place to limit indexing by search engines, for example by means of a robots.txt file.
However, in the present case, the lack of security was exacerbated by the fact that the individuals’ documents, freely accessible through the company’s website, were indexed by the search engines Duckduckgo, Bing, Qwant and Yahoo.
The Company responsible for data processing must ensure that its clients’ login passwords to their personal accounts are strong passwords.
In this case, however, the passwords were simply their date of birth. Since the format of passwords was set by the company, it was impossible for users to change them and therefore to protect themselves from any unwanted connections.
The password chosen by the user should not be sent to him in plain text by email with the login ID.
In this case, however, after creating an account, users received an email containing their username and password mentioned in plain text in the body of the message.
These reminders cover only a very small aspect of the basic measures to be taken to ensure the protection of personal data on the web.
While the CNIL gives data controllers time to make the necessary adjustments to ensure the security of the personal data processed, it acts with force and severity if the data controllers do not sufficiently rectify the security flaws detected. The CNIL also points out that data security must be at the heart of the concerns of data controllers, from the outset.
A professional audit will allow you to ensure your personal data processing system is compliant, or otherwise identify gaps that need to be filled to comply with applicable personal data regulations.