Weak Service Provider Security Triggers Fine — For Customer
The French Data Protection Authority (“CNIL”) in July imposed a fine of €40,000 on a French affiliate of the rental car company, The Hertz Corporation, for failure to ensure the security of website users’ personal data.
On October 15, 2016, the CNIL was informed of the existence of a security incident which resulted in the compromise of personal data on a French website related to Hertz France’s discount program. The CNIL carried out an online investigation and found that personal data of approximately 35,000 users was easily accessible from a URL address. The CNIL notified Hertz France of the issue, who in turn informed its service provider in charge of designing the website. The service provider immediately took corrective actions to stop the issue.
The investigation revealed that the issue was due to a mistake made by the service provider during a server change operation. The CNIL concluded that Hertz France had been negligent in overseeing the actions of its service provider (acting as a data processor).
As a result, the CNIL decided to impose a fine of €40,000 on Hertz France. In deciding the amount of the fine, the CNIL took into account the responsiveness of the company in remedying the issue, its initiative to conduct a security audit of its service provider and its appropriate level of cooperation with the CNIL.
This is the first fine imposed by the CNIL since the amendment of the French Data Protection Act by the French Digital Republic Act of October 7, 2016, which has strengthened the CNIL’s enforcement powers, pending the application of the GDPR.
Prior to that amendment, the CNIL likely would have simply issued a public warning in such a case (i.e., a decision finding that the company failed to comply with its data protection obligations).
Blog courtesy of Hunton & Williams LLP, a U.S.-based law firm with a Global Privacy and Cybersecurity practice that’s known throughout the world for its deep experience, breadth of knowledge and outstanding client service. Read the company’s privacy blog here.