French data protection authority, CNIL, has published the details of a €250,000 fine against Optical Center. It relates to a complaint filed with the CNIL in July 2017. The complaint alleged that there was a “significant data leak” happening at Optical Center.
The decision was first announced in May 2018 but only just became public. It covers a data breach by Optical Center that left more than 334,000 documents containing personal data relating to customers unprotected. This is not the first time that the CNIL has fined Optical Center. In December 2015 it was fined €50,000 after a customer complained about inadequate password security.
The fine is a record for the CNIL and takes into account two things. The first is that Optical Center had previously been charged over a data leak. The second is a change to French law that allowed fines to be increased prior to GDPR coming into force.
What was Optical Center fined for this time?
This latest fine covers a data breach caused by the way customers could look up documents. Customers did not have to log into a portal to view documents. Instead they could view any document through a browser. It meant that once a customer knew how documents were named, they could use that to access details of other customers. The majority of the documents they could access were invoices which contained a raft of personal data.
According to the CNIL judgement: “These invoices contained data such as last name, first name, postal address as well as health data (ophthalmic correction) or, in some cases, the social security number of the persons concerned.”
Optical Center and its website provider acted to secure the data as soon as it was informed of the problem by the CNIL. However, during an on-site visit by the CNIL, the company admitted it was at fault.
What does this mean?
The decision here was taken before the full force of GDPR came into effect. A change to French law allowed the CNIL to anticipate the impact of GDPR when setting the fine. However, had the offence occurred post 25th May 2018 the fine could have been substantially higher. Adding to the fine was the fact that Optical Center had previously had a data breach.
According to Ilia Kolochenko CEO of web security company High-Tech Bridge, this is: “..a strong signal to other companies that cybersecurity is not something they can continuously disregard. Many European medium-sized companies substantially underestimate the importance of data protection, let alone their application and website security. The world, however, changes, and so must their attitude too.”
With mandatory data breach notification under GDPR, we are going to see more data breaches made public. As a result we are likely to see more of this type of enforcement and quite likely higher fines. Data protection regulators across Europe will be looking at new data breaches and setting fines that send a strong message to companies.