CNIL, the French data protection authority, came down hard on Optical Center, a French company that sells contact lenses, sunglasses, and eyeglasses, this month after it was found leaking data from its site.
The authority fined the company €250,000, roughly $295K, stemming from a July 2017 complaint that Optical Center failed to sufficiently secure the data of customers who placed orders through its site.
While most stores are in France, Optical Center also has locations in Spain, Canada, Israel, and Luxembourg.
According to CNIL the company left more than 334,000 documents containing personal data relating to customers unprotected. The information, invoices containing data like customers' last name, first name, and postal address, was reachable to anyone who punched in the right URL into their browser's address bar, CNIL said late last week.
In some scenarios prying eyes could have accessed a customer’s national identification number, or Social Security number, and health data like a customer’s ophthalmic correction.
For Optical Center the offense in question occurred last July, prior to the EU’s General Data Protection Regulation (GDPR) cutoff, May 25. That lessens the blow somewhat and saves the retailer from having to pay either four percent of its annual global turnover or €20 Million, whichever is greater, under GDPR.
|
Blog Post What is the General Data Protection Regulation (GDPR)? Everything You Need to Know |
CNIL said the sanction stemmed from the fact the company failed to secure the personal data of its customers, something that goes against Article 34 of the French Data Protection Act, or Loi informatique et libertés, a piece of legislation that stipulates data controllers take all useful precautions to preserve the security of data, damage, and access by non-authorized third parties.
It's the second major fine the French eyewear retailer has received in the last five years. In 2015 CNIL imposed a €50,000 fine on the company after an audit revealed it wasn't complying with data security obligations. Optical Center failed to secure the homepage, the site it allowed users to change their passwords. Internally the company lacked when it came cyber hygiene as well. It didn't have a password management policy in place, it didn't lock employee workstations after a period of inactivity. It also lacked a sufficient enough data processor agreement.
This most recent fine marks the highest ever imposed by France. The nation twice previously levied fines of €150,000, once in 2014 against Google for tracking and storing user data and again against Facebook in 2017 over changes to its privacy policy.
The reason the fine (€250) is so high is because France anticipated GDPR when it amended its Data Protection Act two years ago in October 2016 and increased the maximum fine amount for failing to comply with data protection, upping it from €150 to €3 million.
