–
A company and its subcontractor were fined for failing to act quickly enough in the face of cyber attacks.
–
For the first time, the CNIL (NDRL: National Commission for Informatics and Liberties, France) sanctioned a data controller and his subcontractor, with fines of, respectively, 150,000 and 75,000 euros for not having implemented adequate security measures as required by article 32 of the RGPD (NDRL: European Data Protection Regulation) which provides that “the controller and the processor implement the appropriate technical and organizational measures to guarantee a level of security adapted to the risk ”.
–
–
–
The names of the condemned companies have not been made public. The CNIL press release informs that one of them operates an online sales website from which several million customers regularly make purchases, while the other was entrusted with the management of the said website.
–
On many occasions, this website has been victim of so-called “credential stuffing” attacks (“Identifier stuffing”). These attacks, which are currently very popular, are carried out in two stages. Initially, hackers retrieve or buy from the “dark web” lists containing hundreds of millions of “username / password” pairs. They then attempt to log into the accounts of customers of the targeted site using “robots [1]“. The latter unroll the lists of identifiers and passwords, in an automated manner, with the aim of accessing customer accounts. Hackers obviously rely on the fact that Internet users usually use the same usernames and passwords for several sites, without changing their password.
–
“The companies have been condemned for having delayed putting in place measures to effectively combat these repeated attacks.”
Antoine Declève
Avocat Cairn Legal
–
–
–
The attacks, regularly carried out on the website in question for a year and a half, allowed hackers toobtain the last name, first name, email address and date of birth of nearly 40,000 customers, as well as the number and balance of their loyalty card and information related to their orders.
–
The CNIL accused the condemned companies of having delayed putting in place measures to effectively combat these repeated attacks. However, they had not remained without reaction and had undertaken the development of a tool to prevent further attacks. However, the CNIL considered that this development had taken too long and that more rapid measures could have been implemented.[2].
–
Broad interpretation of obligations
The CNIL mentions, in its communication on this case, that if “the data controller must decide on the implementation of measures and give documented instructions to its subcontractor “, The subcontractor must, for his part,” seek the most appropriate technical and organizational solutions to ensure the security of personal data, and offer them to the controller “.
–
The obligation imposed on the subcontractor in the GDPR is however far from being as explicit as the CNIL indicates in its press release. The GDPR states that the processor must ” help the controller to ensure compliance with the security obligation (…) Taking into account the nature of the processing and the information available to the subcontractor ”.
–
“This is a reminder of the importance of clearly defining, in the subcontract, the respective obligations of the parties in terms of security.”
Antoine Declève
Avocat Cairn Legal
–
–
–
The interpretation that the CNIL seems to give of the subcontractor’s obligations goes well beyond assistance from the controller to guarantee security, since it seems to indicate that the subcontractor should, on his own initiative, seek the most appropriate solutions and offer them to the controller.
–
This should sound like a reminder about the importance of clearly define, in the subcontracting contract, the respective obligations of the parties in matters of security, given the divergent interpretations that may arise. It is also a good way to ensure that you are exempt from liability, in whole or in part, if a data breach occurs.
–
Antoine Declève
Avocat Cairn Legal
–
(1) Networks of interconnected computers or botnet
–
(2) “the limitation of the number of requests authorized per IP address on the website, which could have made it possible to slow down the rate at which the attacks were carried out or the appearance of a CAPTCHA from the first attempt to authenticate users to their account, very difficult to circumvent for a robot ”.
–
–
