The French data protection agency (CNIL) severely penalises an insurance broker - Decision of 18 July 2019

France

Mapping of claims against insurance intermediaries

The profession and litigation procedures have evolved significantly in recent years and judges, and above all insureds, are becoming increasingly demanding. The bulk of liability claims today are brought on the grounds of the duty to inform and advise the client, for which there is little difference between a general agent and a broker.

The case-law of the Supreme Court is consumer-oriented, and the enabling of the Insurance Distribution Directive will doubtless bring little change to the duty to advise already imposed on intermediaries. France is certainly ready to implement the concepts promoted by the European Union as it has been putting them into practice for a long time.

The duty to advise is a key issue in disputes before the French courts. This duty has been imposed by the courts since 1964 and is defined more broadly by the case-law than the French Insurance Code; according to the Court of Cassation, the intermediary must be “a reliable guide and experienced advisor”.

Thus, particular importance is placed on insureds and their protection, along with ever-increasing expectations and increased requirements on the part of intermediaries in terms of formalities.

The French data protection agency (CNIL) severely penalises an insurance broker – Decision of 18 July 2019

In France, in 2018, 11,077 complaints were registered (+32.5% compared to 2017) and 11 fines were imposed, whereas in 2019, there were 14,000 complaints but the number of fines imposed remained at 11. However, with fines totalling €51.1 million, France has led the way in Europe in imposing fines, €51.1 million out of a total of €114 million. The French Data Protection Agency (CNIL), a public body responsible for the protection of personal data held on computer, in data processing or on paper, whether public or private, published an important decision on 18 July 2019 in respect of an insurance broker.

Facts

A wholesale broker designed and distributed personal motor insurance policies to customers via its website, where customers could obtain quotes and take out motor insurance policies online. The specific nature of the insurance product was that it was aimed at all types of customers, including customers who had a poor claims history or whose previous insurance policy had been cancelled for non-payment of the premium. On 1 June 2018, one of the broker’s customers accidentally entered an incorrect password and was logged on to another customer’s account without any further authentication being required.
On this site, the accounts of the company’s customers were accessible via hyperlinks listed on a search engine or by changing the numbers at the end of the URL addresses displayed in the browser. The database contained, inter alia, 144,890 vehicle registration documents, 137,776 driving licences, 119,940 bank statements, 119,517 quotations, 36,068 motor vehicle sale invoices, as well as insurance policies. In addition, the broker required all its users to use their date of birth as a password, which was emailed to them unencrypted. The customer who uncovered this security breach informed the CNIL, which began an audit into the procedures in place.

Decision

The CNIL fined the broker €180,000 and made the fine public, stating that it was imposed due to “the seriousness of the breach, as well as the nature of the data and documents involved. [But also] due to the large number of persons affected, the security failure involving the accounts of several thousand customers, as well as individuals who had cancelled their policies”.

CGPA comments

This decision is almost a textbook case, given the flagrant nature of the broker’s mistakes. Insurance intermediaries should pay particular attention to this decision as it highlights the fact that the inspections that CNIL carries out are not only for educational purposes.

Publications

The French data protection agency (CNIL) severely penalises an insurance broker – Decision of 18 July 2019

Facts

Decision

CGPA comments

CGPA Europe

Latest News

Legal Mentions