CNIL Fines Software Company $2 Million for Failure to Keep Personal Data Secure
French DPA CNIL fined computer systems and software designer Nexpublica France 1.7 million euros ($2 million) for failure to build sufficient security measures into a software package that resulted in data breaches, it said Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Nexpublica is developing a software package called PCRM, a tool for managing user relationships in the social services sector. Some departments dealing with disabled people use it, CNIL said.
In November 2022, clients of Nexpublica notified the DPA that users of the portal reported having access to documents relating to third parties. CNIL's investigation found the company's technical and organizational measures meant to ensure the security of data processed through the PCRM software were inadequate and breached the GDPR.
When calculating the fine, CNIL considered Nexpublica's financial state, its lack of knowledge of basic security principles despite being an IT business, the number of people affected and the sensitivity of the data processed, particularly data revealing a disability, the watchdog said. It noted that the company only corrected its flawed systems after the data breaches.