Presentation
Many companies are currently being penalized or are at risk of being penalized for the conditions under which personal data is stored.
New data protection regulations impose accountability on those who collect and process personal data, as inadequate security procedures can lead to the disclosure or loss of documents containing personal data.
Even if professionals lack the technical expertise to assess the reliability of their solutions, they still have a duty to ensure their security.
Personal data: Weak passwords and systems without two-factor authentication
As professionals frequently point out, weak passwords, widely tolerated by online platforms without additional authentication—such as email, phone, or other confirmation—make it easier for hackers to penetrate a system by testing numerous common passwords.
John Oliver’s interview with Edward Snowden on Last Week Tonight illustrated the disconcerting ease with which individuals can now hack servers with short or weak security passwords, encouraging the use of “passphrases” rather than words.
Find the full interview here.
GDPR & the Internet: The weakness of URLs in terms of access to customer accounts
Numerous companies have been penalized for the fact that, by changing a single element of their URL, they could access the entire database of their service. The CNIL (French Data Protection Authority) considers such a breach to be a violation of Article 32 of the GDPR, which concerns the obligation to ensure the security and confidentiality of personal data.
See below for our analyses of the associated penalties:
- Active Assurance in 2019
- Alliance Française in 2018
- Darty in early 2018
GDPR & Data Protection: The Lack of Data Encryption
Encryption is the process of converting data from a readable format to an encrypted format that can only be read or processed after decryption. In the event of loss or a breach within a computer system, such a mechanism ensures the confidentiality of intercepted information. It is therefore an effective way to guarantee its authenticity and origin.
Several methods have been developed in recent decades—asymmetric cryptography, symmetric encryption keys, etc.—to enhance the confidentiality and protection of computer systems, including HTTPS connections, VPNs, SSH access, and so on.
Frequently highlighted by the CNIL during its inspections, numerous easily avoidable flaws and oversights are often at the root of breaches of data protection rules.
