Recently, the French Data Protection Authority (the “CNIL”) published a statistical review of personal data breaches during the first four months of the EU General Data Protection Regulation’s (“GDPR”) entry into application. View the review (in French).
Types of breaches
Between May 25 and October 1, 2018, the CNIL received 742 notifications of personal data breaches that affected 33,727,384 individuals located in France or elsewhere. Of those, 695 notifications were related to confidentiality breaches. In the CNIL’s view, this high proportion of confidentiality breaches may be explained by several reasons:
- In many cases, personal data breaches are the result of lack of confidentiality of personal data in addition to integrity and/or availability issues.
- Organizations often have the means to retrieve data within the 72-hour time limit after an integrity or availability breach.
Business areas affected
The accommodation and food services sector is the sector in which the highest number of breaches were observed, with 185 notifications. This is due to a specific case, where a booking service provider was affected by a data breach. That service provider immediately notified all its customers of the breach and took measures to help them comply with their obligations. As part of these measures, the service provider (1) reminded its customers of the context and the breach notification obligations, (2) provided them with a list of the supervisory authorities to be contacted depending on the country of establishment of each customer, a list of the data subjects to be contacted and a template letter, and (3) implemented a dedicated hotline. According to the CNIL, these measures reflect best practices that should be implemented by a service provider when affected by a personal data breach.
Cause of the breaches
More than half of the notified breaches (421 notifications) were due to hacking via malicious software or phishing. 62 notified breaches were related to data sent to the wrong recipients, 47 notified breaches were due to lost or stolen devices, and 41 notified breaches were due to the unintentional publication of information. Most breaches were therefore the result of hacking and intentional theft attributable to a malicious third party, or employees’ unintentional mistakes. In all other cases, the causes of the breach were unknown or undetermined by the notifying data controller, or the breach was the result of internal malicious actions. The CNIL advised that businesses should think about data security at the outset of their project, regularly run security updates on operating systems, application servers, or databases, and regularly inform staff of the risks and challenges raised by data security. This will help prevent the majority of these incidents.
The CNIL also reported that it will adopt an aggressive approach when the data controller does not comply with its obligation to notify the breach within 72 hours after having become aware of it. Failure to comply with that obligation may lead to a fine of up to €10 million or 2 percent of the total worldwide annual revenues. Conversely, if the CNIL receives the notification in a timely manner, the CNIL will adapt an approach that aims at helping the professionals involved take all the necessary measures to limit the consequences of a breach.
When necessary, the CNIL will contact organizations for the purposes of:
- Verifying that adequate measures have been taken before or after the breach. In this respect, the CNIL may advise the data controller on any needed improvements, e.g. use of an appropriate encryption algorithm or the best way to manage passwords. The CNIL may also refer data controllers to the relevant police services or to the web platform to file a complaint.
- Assessing the necessity to notify affected data subjects. For each notification, the CNIL assesses the risks to data subjects and may recommend notifying them of the breach. Since May 25, 2018, the CNIL’s injunction power has been used only once to order a data controller to notify affected data subjects. The CNIL did so by serving formal notice on the data controller, and the latter complied with the notice served.