Catherine Muyl and Marion Cavalier of Foley Hoag write:
On June 7, 2018, the French Data Protection Authority (the CNIL) published a decision (issued one month earlier) in which it imposed a record 250,000 euros fine on Optical Center (which, although its name does not indicate, is a French company) for having insufficiently secured the personal data of its customers.
The CNIL noted that customers could access more than 300,000 documents (mainly invoices) of other customers on Optical Center’s website site rather easily, by entering several URLs in a browser’s address bar. Optical Center did not implement a feature requiring customers to connect to their personal space in the customer area before any invoices are displayed (which would have limited access to other customers’ information). In other words, Optical Center customers could see too much!
Read more on Security, Privacy and the Law.