The decision imposing the fine provides close insight into the CNIL’s expectations of data controllers’ security measures on-line, internally and in dealing with third-party processors.
In July 2014, the CNIL received a consumer complaint regarding the processing of passwords by a retail chain with over 400 stores in France. The CNIL conducted an on-site audit later that month, and issued a cease-and-desist to the retailer in December 2014. The CNIL, considering that the retailer only partially proved its compliance with the cease-and-desist, conducted a second on-site audit in February 2015. Further considering that the retailer had not fully responded to the CNIL’s demands following the second audit, the retailer was convened to testify before the CNIL in June 2015. After requisite due process, in November 2015 the CNIL assessed a fine of EUR 50,000, citing several violations of the French Data Protection Law of January 6, 1978, as amended, for failure to adopt adequate security measures in respect of personal data controlled by the retailer.
Among the specific factors cited or implied by the CNIL:
- The retailer had not implemented HTTPS or another security protocol either on its website’s home page, from which users could log on to their accounts, or on the webpage allowing users to modify their passwords.
- The retailer did not require complex passwords for website users; when the retailer changed its policy regarding passwords it did not require current users to change their passwords and so adopt complex passwords.
- The retailer had no system for automatic renewal of passwords for employees performing back office functions for the website; instead, passwords were changed by the site administrator or a third-party service provider upon request from the marketing director.
- The retailer had no specific password policy for access to company desktops.
- Employees had access via Internet to back office functions, but access was by user name and password (no strong authentication).
- Workstations were not equipped with automatic lock features. The fact that certain workstations are located in offices not accessible to the public was deemed insufficient.
- The retailer’s contract with a third-party processor neither specified the security measures to be adopted by the processor, nor contained an undertaking from processor to keep confidential the retailer’s customers’ personal data.
This decision serves as a reminder that security measures must be periodically reviewed and updated to reflect technological advances, and internal policies just as external contracts should detail the security measures of data controllers and their data processors.