The French data protection agency (CNIL) severely penalises an insurance broker – Decision of 18 July 2019
In France, in 2018, 11,077 complaints were registered (+32.5% compared to 2017) and 11 fines were imposed, whereas in 2019, there were 14,000 complaints but the number of fines imposed remained at 11. However, with fines totalling €51.1 million, France has led the way in Europe in imposing fines, €51.1 million out of a total of €114 million. The French Data Protection Agency (CNIL), a public body responsible for the protection of personal data held on computer, in data processing or on paper, whether public or private, published an important decision on 18 July 2019 in respect of an insurance broker.
A wholesale broker designed and distributed personal motor insurance policies to customers via its website, where customers could obtain quotes and take out motor insurance policies online. The specific nature of the insurance product was that it was aimed at all types of customers, including customers who had a poor claims history or whose previous insurance policy had been cancelled for non-payment of the premium. On 1 June 2018, one of the broker’s customers accidentally entered an incorrect password and was logged on to another customer’s account without any further authentication being required.
On this site, the accounts of the company’s customers were accessible via hyperlinks listed on a search engine or by changing the numbers at the end of the URL addresses displayed in the browser. The database contained, inter alia, 144,890 vehicle registration documents, 137,776 driving licences, 119,940 bank statements, 119,517 quotations, 36,068 motor vehicle sale invoices, as well as insurance policies. In addition, the broker required all its users to use their date of birth as a password, which was emailed to them unencrypted. The customer who uncovered this security breach informed the CNIL, which began an audit into the procedures in place.
The CNIL fined the broker €180,000 and made the fine public, stating that it was imposed due to “the seriousness of the breach, as well as the nature of the data and documents involved. [But also] due to the large number of persons affected, the security failure involving the accounts of several thousand customers, as well as individuals who had cancelled their policies”.
This decision is almost a textbook case, given the flagrant nature of the broker’s mistakes. Insurance intermediaries should pay particular attention to this decision as it highlights the fact that the inspections that CNIL carries out are not only for educational purposes.