The CNIL has fined NEXPUBLICA FRANCE EUR 1.7 million for failing to implement adequate security measures for its Public CRM (PCRM) software, a user relationship management tool in the social services sector. The enforcement action followed data breach notifications in November 2022, when users of the PCRM portal reported being able to access documents concerning third parties. The software is used by Maisons départementales des personnes handicapées – a public service for disability support (amongst other things), processing highly sensitive personal data, including information revealing disabilities.
CNIL investigations revealed that the vulnerabilities identified were:
– mostly due to a lack of knowledge of basic security principles and what constitutes the state of the art in terms of security
– identified through several internal audit reports but were only corrected after the data breaches occurred
This fine highlights the fact that good security starts with understanding the issues, knowing what is available to address them and the expertise to decide what is appropriate in the circumstances. In relation to audits, these are, of course, essential for identifying compliance issues, but without structured, documented follow up, an audit is just another piece of paper. Establishing actions, assigning owners and setting deadlines for completion as well as having someone to monitor progress is needed to ensure problems are properly addressed.
