June 16, 2018
Optical Center, a French firm that specializes in selling eye and hearing services, has been stricken with a €250,000 penalty for a data breach that happened prior to the launch of the General Data Protection Regulation (GDPR) on May 25.
CNIL, the French data safety organization, applied the fine after the company failed to safeguard the data of its clients on its company website. It was found in July 2017 that it was possible to access clients’ invoices with comparative easiness. These invoices detail personally identifiable information (PII) including first and last name, physical address, and social security number. Besides this, there were also other health particulars like ophthalmic rectification.
There was no verification procedure in place for a client to confirm their identity before retrieving their invoices. This was confessed by Optical Center. In spite of correcting the fault on the IT systems, it was discovered, by CNIL, that the firm didn’t adhere with article 34 of the French Data Safety Law.
This penalty is the biggest penalty for a data secrecy breach ever issued in France. It’s also the second time that Optical Center was approved with a penalty for a breach of private data. In 2015 it was also hit with a €50,000 fine for a different data breach. This previous sanction was taken into account when calculating the extent of the latest violation of data privacy.
CNIL decided to issue the details of the breach in question, and the penalty applied, with the decision because of “the particular sensitivity of the data that was made easily accessible, the number of clients impacted and the number of official papers included in the firm’s database at the time of the happening (more than 334,000).”
The French Data Protection Rule, which can implement the maximum fine of €3,000,000 for non-compliance with the data protection rules, under GDPR the maximum fine might have been up to €20m or 4% of the company’s yearly income – whichever amount is more.