Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

French watchdog fines Hertz for data breach

Car rental business Hertz has been fined €40,000 by France's data protection authority for failing to prevent information about more than 35,000 customers from being published online.02 Aug 2017

The Commission nationale de l'informatique et des libertés (CNIL) said Hertz "failed to take all necessary measures to safeguard the security of the personal data of users of the site", in breach of its duties under French data protection laws.

Information such as the identity and contact information for customers, as well as their driver permits, was "freely accessible" on one of the company's websites after an IT service provider Hertz was using accidentally deleted a line of code when moving the website to another server, CNIL said.

Despite issuing Hertz with a fine, CNIL praised the company for its response to resolving the data breach, which included conducting an audit of its service provider, as well as for its cooperation with its regulatory investigation.

CNIL said it was the first time it had issued a fine for a data breach since the new law for a digital Republic in France had come into force in November 2016.

Paris-based privacy law expert Anne-Sophie Mouren of Pinsent Masons, the law firm behind Out-Law.com, said: "Since the new law came into force, CNIL has had the power to issue fines of up to €3 million to businesses that breach data protection laws in France. Previously, the highest penalty it could issue was €150,000, or €300,000 in the event of a recurrent breach. The positive actions taken by Hertz in speedily resolving the breach may have helped it avoid a stiffer penalty."

"The new law also created the right for CNIL to fine data controllers without prior notice, where the infringement found cannot be brought back to compliance in the context of a prior notice procedure," she said.

"The case is also notable because of CNIL's decision to publicise its enforcement action. It has recognised the power of publicity as serving as a deterrent to other businesses. While the fine is relatively small, the reputational damage associated with the reporting of data breaches is something that all businesses will want to avoid. In this case it was the data controller that was fined by CNIL, but data processors should note that in future, under the General Data Protection Regulation, they too will be exposed to potential liability for multi-million euro fines for data breaches," Mouren said.