On 27 January 2021, CNIL fined a controller €150,000 and a processor €75,000 for EU (European Union) GDPR data protection infringements.
After receiving numerous personal data breach notifications from customers who were making purchases from the controller’s website, CNIL initiated an investigation to analyse data processing activities of the website. The investigation was also extended to the processor who was the website’s serviceprovider.CNIL discovered that the controller’s website had suffered malicious data breaches including numerous ‘credential stuffing’ attacks due to inadequate security measures implemented by both the controller and the processor.
Information such as names, email address, date of birth, loyalty card numbers and details of orders were accessed after an attacker successfully tried multiple login requests using robots. As a result, between March 2018 and February 2019, the attacker accessed approximately 40,000 customer accounts that were made available to unauthorised third parties.
The imposed fines by the CNIL were because the processor failed to protect the security of the users’ personal data under Article 32 of the GDPR. Although the controller and the processor subsequently developed a tool that detected and blocked attacks, it took them a year to do so. In the meantime, they failed to implement any other measures which could have mitigated the security breaches, such as limiting the number of IP authorised requests or using a CAPTCHA tool.
One of the GDPR’s novelties, is the Accountability principle under which both the controller and the processor must have in place effective security measures and be able to demonstrate them when requested. Regulators are firm about the need for both controllers and processors to be sharp and current in their security provisions. Cybersecurity is still a fundamental component of overall compliance and one of the most common reasons for data breaches. Therefore, it is critical that organisations are aware that the fundamental rights and freedoms of the data subjects are at the centre of the GDPR’s rationale and spirit. Systematic, appropriate security measures should be implemented to secure these rights and freedoms to uphold Accountability under the GDPR.
Controllers need to bear in mind that ultimate responsibility for any security incident and related data breaches, is with them, and therefore must apply to the letter the mandate of Article 32 of the GDPR on security. Controllers must also fully adhere to Article 28 of the GDPR and only use processors which guarantee that they can implement appropriate technical and organisational measures. To fulfil its mandate under the GDPR on security and accountability, it is important for an organisation to identify and evaluate their own security posture as well as of their processors. Similarly, processors need to make sure to apply the appropriate security measures to comply with Article 32 of the GDPR.
An in-depth evaluation of a controller’s and processor’s preparedness and accountability in their processing activities is essential to measure a client’s security situation under the GDPR. CNIL’s fines highlight the dynamics between a controller-processor processing activity, in that, one cannot pass complete responsibility to the other. Both parties must ensure that robust data protection agreements are in place and the agreed upon security measures are implemented. Moreover, both processor and controllers are both held jointly responsible in the eyes of the regulators and the consumers.
Remember as our clients’ outsourced DPO, we assess their security stance to determine potential security gaps and offer advice on appropriate and effective remedies.