250,000 euros. This is the amount of the fine imposed by the Commission Nationale de l'Informatique et des Libertés (French Data Protection Authority or "CNIL") on Optical Center, a French company specialized in optics, for having failed to properly secure its website www.optical-center.fr.
This is the first time that the CNIL imposes such a heavy fine. And this is not under the General Data Protection Regulation ("GDPR") which provides that companies may be fined up to 20 million euros and 4% of their turnover.
On July 28, 2017, the CNIL was informed of a possible significant data leak concerning the company Optical Center. Specifically, it was told that data were freely accessible from several URLs with the same structure.
On July 31, 2017, the CNIL carried out an online inspection which established that it was possible, by entering several URLs in the address bar of a browser, to access hundreds of invoices concerning customers of the company. These invoices contained data such as the last name, first name, postal address as well as health data (ophthalmic correction) or, in some cases, the social security number of the persons concerned.
The CNIL immediately alerted Optical Center which in turn asked its provider to take the necessary measures to put an end to this security incident. The breach was remedied on August 2, 2017 through the addition of a new functionality.
On August 9, 2017, the CNIL then carried out an on-site inspection in the premises of the company that acknowledged that it had a website security breach.
Specifically, the website www.optical-center.fr did not include a functionality to verify that a customer is connected to his personal space ("customer area") before displaying his/her invoices. It was thus relatively simple to access documents concerning another client of the company.
The CNIL immediately initiated a sanction procedure against Optical Center.
It is interesting to note that Optical Center complained about the lack of any prior formal notice which it considered as a "substantial component" of the procedure to ensure due process and respect of the rights of the defense.
The CNIL simply swept aside this argument as...