CNIL Fines Rental Car Company for Data Security Failure Attributable to Third-Party Service Provider
Hunton & Williams explain:
On July 27, 2017, the French Data Protection Authority (“CNIL”) imposed a fine of €40,000 on a French affiliate of the rental car company, The Hertz Corporation, for failure to ensure the security of website users’ personal data.
On October 15, 2016, the CNIL was informed of the existence of a security incident which resulted in the compromise of personal data on a French website related to Hertz France’s discount program. The CNIL carried out an online investigation and found that personal data of approximately 35,000 users was easily accessible from a URL address. The CNIL notified Hertz France of the issue, who in turn informed its service provider in charge of designing the website. The service provider immediately took corrective actions to stop the issue. The investigation revealed that the issue was due to a mistake made by the service provider during a server change operation.
Read more on Privacy & Information Security Law Blog.