French Regulator Hits Nexpublica With €1.7 Million Fine Over Security Failures in Social Services Software

Key Takeaways

• Security Obligations Apply in Full: Article 32 GDPR requires security measures proportionate to risk, especially when sensitive data such as disability information is involved.
• Known Vulnerabilities Increase Exposure: Leaving audit-identified flaws unaddressed can significantly aggravate enforcement outcomes.
• IT Expertise Raises Expectations: Companies specializing in software and IT systems are held to a higher standard when it comes to baseline security practices.
• Post-Breach Fixes Are Not a Shield: Corrective actions may limit follow-on orders, but they do not erase accountability for past failures.

Deep Dive

France’s data protection authority has fined Nexpublica €1.7 million after finding that the company failed to properly secure software used to manage highly sensitive personal data in the social services sector.

The sanction stems from a series of personal data breaches linked to Nexpublica’s PCRM platform, a user relationship management tool used by public bodies including Departmental Houses for the Disabled (MDPH).

The case first came to light in late November 2022, when several customers alerted the CNIL that users of the PCRM portal were able to view documents belonging to other individuals. Those reports raised immediate concerns given the nature of the data involved, which included information revealing disabilities.

Following those notifications, the CNIL opened an investigation into the technical and organizational safeguards protecting data processed through PCRM. Investigators concluded that the measures in place were not up to the standards required under the GDPR, particularly in light of the sensitivity of the data and the risks to individuals’ rights and freedoms.

At the heart of the decision is Article 32 of the GDPR, which requires both data controllers and processors to implement security measures appropriate to the risks, taking into account factors such as the state of the art, implementation costs, and the scope and purpose of processing. The CNIL’s restricted committee found that Nexpublica fell short of those obligations, pointing to what it described as a broadly weak information system and a lack of diligence in addressing known security shortcomings.

According to the regulator, many of the vulnerabilities identified in PCRM were not obscure or novel. They reflected gaps in basic security principles and awareness of established best practices. More significantly, those weaknesses had already been flagged in several audit reports available to the company. Despite that, the flaws remained uncorrected until after the data breaches occurred.

Those circumstances weighed heavily in the CNIL’s assessment. The committee also emphasized that Nexpublica’s core business is the design of IT systems and software, a factor that aggravated the seriousness of the failings in the regulator’s view. When setting the €1.7 million fine, the CNIL said it took into account the company’s financial capacity, the number of people affected, and the particularly sensitive nature of the data exposed.

The regulator did not impose a formal compliance order alongside the financial penalty. The decision notes that Nexpublica implemented corrective measures after the breaches were identified, addressing the security issues uncovered during the investigation.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.