CNIL (France) - SAN-2022-009

From GDPRhub
CNIL (France) - SAN-2022-009
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 28 GDPR
Article 29 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started: 23.02.2021
Decided: 15.04.2022
Published: 21.04.2022
Fine: 1500000 EUR
Parties: n/a
National Case Number/Name: SAN-2022-009
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: czapla

The French DPA issued a fine of €1,500,000 against a software solutions provider acting as a processor for medical analysis laboratories, due to a data breach concerning the data of almost 500,000 data subjects in violation of Articles 28, 29, and 32 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Dedalus Biologie is a software solutions provider for medical analysis laboratories. In February 2021, a press article was published which revealed that confidential information of 500,000 French patients had been stolen from laboratories and uploaded to an online forum. The French DPA subsequently carried out an online investigation, finding that the personal data of 491,840 patients had been published in a file that could easily be downloaded, including sensitive data such as health data concerning information relating to HIV infection, cancer or genetic diseases, pregnancy, drug treatments or genetic data.

Subsequently, the DPA carried out on-site investigations first at the premises of Dedalus Biologie and then in the two laboratories concerned by the data breach to see whether they were GDPR-compliant. At the end of the investigations, the rapporteur suggested to fine Dedalus Biologie based on the GDPR breaches he considered to have occured.

Holding[edit | edit source]

First, the DPA found that Dedalus Biologie was the processor pursuant to Article 4(8) GDPR as it provides laboratories with the tools to facilitate the implementation of processing and only acts in the name and under the responsibility of the laboratories.

Consequently, the DPA held that the processor had violated Article 28(3) GDPR because the contracts between it and the controllers did not provide the necessary information required by that provision. For instance, one of the contracts referred to obsolete provisions of the Data Protection Act. The DPA clarified that the mere existence of a section on personal data does not meet the requirements of Article 28(3) GDPR. The processor did not dispute this violation. However, it claimed that it was not solely responsible as Article 28(3) GDPR imposes obligations on both the processor and the controller.

Then, the DPA found a breach of Article 29 GDPR. The processor had processed data beyond the instructions given by the data controllers by extracting more data than necessary for the commissioned data migration of software to another tool. The processor argued that its former extraction tool had only allowed for total extraction of patient files but that it had successfully migrated to a new tool in the meantime. However, since the controllers had asked only for certain data to be extracted, the DPA still found this violation. The processor should not have relied on an unsuitable tool to justify having exceeded the controllers' instructions. Instead, it could for instance have opted for another tool or at least deleted all the data that should not have been extracted.

Finally, the DPA held that the processor had violated Article 32 GDPR due to many technical and organisational shortcomings in terms of security of operations to migrate the software to another, including the lack of specific procedure for data migration operations, the lack of encryption of personal data stored on the problematic server, absence of automatic deletion of data after migration to the other software, absence of authentication required from the internet to access the public area of ​​the server, the use of user accounts shared between several employees on the private zone of the server, the lack of supervision procedure, and security alert escalation on the server.

Based on the seriousness of the breaches identified and also taking into account the turnover of the company, the DPA decided on the high fine of €1,500,000. It also criticised that the processor had not taken any specific measures to stop the dissemination of the file once it became aware of it. It was the DPA which seized the Paris court to block access to the site on which the leaked data was published. The court’s decision made possible to limit the consequences of the breach on affected individuals.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation SAN-2022-009 of April 15, 2022
National Commission for Information Technology and Freedoms
Nature of deliberation: Sanction
Legal state: In force
Date of publication on Legifrance: Thursday April 21, 2022
Deliberation of restricted formation n ° SAN-2022-009 of April 15, 2022 concerning the company DEDALUS BIOLOGIE
The National Commission for Information Technology and Freedoms, meeting in its restricted formation composed of Mr. Alexandre LINDEN, President, Mr. Philippe-Pierre CABOURDIN, Vice-President, Ms. Anne DEBET, Ms. Christine MAUGÜÉ, Mr. Bertrand du MARAIS and Mr. Alain DRU , members ;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data;

Having regard to Law No. 78-17 of January 6, 1978, as amended, relating to information technology, files and freedoms, in particular Articles 20 et seq.;

Having regard to Decree No. 2019-536 of May 29, 2019 taken for the application of Law No. 78-17 of January 6, 1978 relating to information technology, files and freedoms;

Given deliberation n ° 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Freedoms;

In view of decision n ° 2021-028C of the president of the National Commission for Information Technology and Freedoms of February 24, 2021 to instruct the secretary general to carry out or have carried out a mission to verify any treatment accessible from the domains [...] or relating to personal data collected from them ;

Having regard to decision n ° 2021-029C of the president of the National Commission for Information Technology and Freedoms of February 25, 2021 to instruct the secretary general to carry out or have carried out a verification mission with the companies DEDALUS FRANCE and DEDALUS BIOLOGIE ;

In view of decision n ° 2021-031C of the president of the National Commission for Information Technology and Freedoms of March 2, 2021 to instruct the secretary general to carry out or have carried out a mission to verify any processing of personal data accessible online and who would be linked to the facts described by the newspaper Liberation in its article entitled Confidential information of 500,000 French patients stolen from laboratories ;

Having regard to decision n ° 2021-034C of the president of the National Commission for Information Technology and Freedoms of March 5, 2021 to instruct the secretary general to carry out or have carried out a verification mission with the company [...] ;

Having regard to decision n ° 2021-035C of the president of the National Commission for Information Technology and Freedoms of March 5, 2021 to instruct the secretary general to carry out or have carried out a verification mission with the company [...] ;

Having regard to the decision of the president of the National Commission for Information Technology and Freedoms appointing a rapporteur to the restricted panel, dated October 6, 2021;

Having regard to the report by François PELLEGRINI, rapporteur commissioner, notified to DEDALUS BIOLOGIE on December 9, 2021;

Having regard to the written observations paid by the board of the company DEDALUS BIOLOGIE on January 24, 2022;

Given the rapporteur's response to these observations notified on February 7, 2022 to the company's board

Having regard to the written observations paid by the board of the company DEDALUS BIOLOGIE received on February 21, 2022 ;

Having regard to the oral observations made during the restricted training session

Considering the other documents in the file;

Were present at the restricted training session of March 10, 2022:

- Mr François PELLEGRINI, Commissioner, heard in his report;

As representatives of DEDALUS BIOLOGIE :

- [...]

The company DEDALUS BIOLOGIE having had the floor last ;

After deliberating, the restricted formation adopted the following decision:

I. Faits et procédure

1. DEDALUS BIOLOGY (hereinafter "the company") is a simplified joint stock company with a single partner registered in the Strasbourg commercial and company register under the number 348 585 233 since December 1, 1988. It is active in publishing application software. It has between ten and nineteen employees.

2. DEDALUS BIOLOGIE is part of the DEDALUS group, which employs around nine hundred people and which is made up, in France, of five companies.

3. DEDALUS BIOLOGY markets software solutions for medical analysis laboratories, called laboratory management solutions. About three thousand private medical biology laboratories and between thirty and fifty analysis laboratories of public health establishments are equipped with solutions published by the company DEDALUS BIOLOGIE

4. To this day, five software packages are marketed, among which KALISIL software. Two solutions previously marketed by DEDALUS BIOLOGIE are no longer maintained and are considered obsolete, among which MEGABUS, whose "end of life" was reached in September 2019 according to the company. Customers using the MEGABUS solution received a letter sent by the company NETIKA (former name of DEDALUS BIOLOGIE) in 2018 to inform them of the "final cessation of maintenance" of this solution.

5. For the use of software marketed by the companies DEDALUS FRANCE and DEDALUS BIOLOGIE, customers acquire a license. DEDALUS BIOLOGIE also provides installation, start-up and customer support services for the use of software. A maintenance contract is generally concluded to ensure updates of the solutions, which include in particular new functionalities and make it possible to maintain the solutions in accordance with the standards in force.

6. On February 23, 2021, a press article entitled "Confidential information for 500,000 French patients stolen from laboratories and disseminated online" was published by the newspaper Liberation. This article reported the presence on a forum of a download link to a file containing the medico-administrative data of nearly 500,000 people: "According to specialists, the leak is of unprecedented scale in France for data relating to health. The file in question, which "CheckNews" was able to consult, contains the complete identity of almost half a million French people, often accompanied by critical data, such as information on their state of health or even their password. Initially shared on hacker forums, this database is increasingly widely distributed. ".

7. Pursuant to decision n ° 2021-028C of the president of the National Commission for Information Technology and Freedoms (below the "Commission" or the "CNIL") February 24, 2021, the CNIL carried out an online control mission to verify compliance with Law No. 78-17 of January 6, 1978, as amended, relating to information technology, files and freedoms (below the "IT and Freedom Law") and the rules (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "RGPD" or the "Rules") any treatment accessible from domains [...] or relating to personal data collected from them.

8. As part of the online check carried out, the file containing the medico-administrative data was downloaded. It appeared that the personal data of 491,840 patients were included, including:

- identification data: social security number, surname, first names, sex, postal address, telephone number, email address, date of last medical visit, date of birth;

- two columns of free comments containing in particular information relating to patient pathologies (HIV, cancers, genetic diseases), pregnancy, drug treatments followed by the patient or genetic data;

- identification data of the prescribing doctor: surname, first name, postal address, telephone number, email address;

- data relating to the sampler: surname, first name, address, telephone number;

- data relating to the patient's mutual fund: "Id third party paying" (continuation of figures), postal address, telephone number;

- a column "SR identifier" and a column "PM", corresponding, with regard to its content, to the identifiers and passwords used by the patient to connect to its space.

9. Pursuant to Decision No. 2021-029C of the President of the Commission of February 25, 2021, the CNIL carried out a documentary control mission with the companies DEDALUS FRANCE and DEDALUS BIOLOGIE, in order to verify compliance with the IT and Freedoms law and the RGPD of treatments implemented by medical analysis laboratories using the solutions or services marketed by these companies. This mission was carried out by sending a questionnaire to DEDALUS FRANCE, sent by email on February 25, 2021.

10. On February 26, the company sent response elements to the CNIL, including the names and addresses of the medical analysis laboratories concerned by the above-mentioned data breach.

11. Pursuant to the same decision, a CNIL delegation proceeded, March 1, 2021, to an on-site control mission in the premises of DEDALUS FRANCE, located 22, avenue Galilée at PLESSIS-ROBINSON (92350) after informing the territorial public prosecutor and the data protection officer of DEDALUS FRANCE and DEDALUS BIOLOGY

12. On March 5, March 10, April 1, April 6 and April 19, 2021, the companies DEDALUS FRANCE and DEDALUS BIOLOGIE transmitted the additional elements requested by the delegation during the on-site inspection.

13. In parallel, on March 1, 2021, the CNIL issued an interim assignment from hour to hour to the various Internet service providers, in order to ensure the effective blocking of the file containing the data of nearly 500,000 patients.

14. Pursuant to Decision No. 2021-031C of the President of the Commission of March 2, 2021, the CNIL carried out an online control mission the same day, in order to verify the presence of the disputed file online, by looking for it from different search engines.

15. By order of March 4, 2021, the judge of summary proceedings of the court of PARIS ordered "to SA ORANGE, SAS FREE, SA SFR and SA BOUYGUES TELECOM to implement or have implemented, without delay and for a period of 18 months from this decision all the most suitable and effective targeted surveillance measures likely to ensure the effective blocking of the online public communication service " [...] "on their networks".

16. Pursuant to decisions n ° 2021-034C and n ° 2021-035C of the President of the Commission of March 5, 2021, the CNIL carried out on-site control missions to companies [...] and [...] on March 10 2021.

17. The two laboratories having been concerned by the aforementioned data breach, it was a question of verifying the respect by these two companies of the provisions of the law Informatics and Freedoms and of the RGPD

18. By email of 11 June 2021 addressed to the data protection officer of the companies DEDALUS FRANCE and DEDALUS BIOLOGIE, the CNIL delegation requested additional information from these companies, which were sent on 24 June 2021.

19. For the purpose of examining this file, the President of the Commission a, October 6, 2021, appointed Mr. François PELLEGRINI as rapporteur on the basis of article 39 of decree n ° 2019-536 of May 29, 2019 taken for the application of the law of January 6, 1978 as amended.

20. At the end of his investigation, the rapporteur, on 9 December 2021, had a report notified to DEDALUS BIOLOGIE detailing the shortcomings in the RGPD which he considered to have been in this case.

21. This report proposed that the Commission should be restricted to impose an administrative fine on the company, with regard to the shortcomings set up in Articles 28 (3), 29 and 32 of the RGPD. He also proposed that the sanction decision be made public, but that it is no longer possible to identify the company by name after the expiration of two years from its publication.

22. By letter dated 10 December 2021, the company, through its board, requested additional time to provide its comments in response. By letter dated 15 December 2021, the president of the restricted formation granted him additional time until 24 January 2022.

23. On January 24, 2022, the company produced comments in response to the sanction report.

24. The rapporteur responded to the company's comments on February 7, 2022. A letter was also given to the company, informing it that the file was on the agenda of the restricted formation of March 10, 2022.

25. On February 21, 2022, the company produced new comments in response to those of the rapporteur.

26. The company and the rapporteur presented oral observations during the restricted training session.

II. Motifs de la décision

A. On the quality of society with regard to the treatments in question

27. Under Article 4 of the GPPD, the controller is defined as "the natural or legal person, public authority, the service or another organization that, alone or jointly with others, determines the purposes and means of the processing " (point 7) and the subcontractor is "the natural or legal person, public authority, the service or other body which processes personal data on behalf of the controller " (point 8).

28. The rapporteur notes that DEDALUS BIOLOGIE markets software solutions for medical analysis laboratories. As part of the service it offers to laboratories, society does, on the one hand, that make the tools available to laboratories, especially IT, to facilitate the implementation of treatments and, on the other hand, acts only in the name and under the responsibility of the laboratories for software maintenance and, if applicable, migration to other software for example. The company must therefore be regarded as acting as a subcontractor for laboratories within the meaning of Article 4 (8) of the GBER according to the rapporteur.

29. In defense, the company does not dispute the rapporteur's analysis on this point.

30. The restricted formation considers that the concepts of controller and processor must be the subject of a concrete assessment taking into account all the elements making it possible to attribute one or the other of these qualities to a entity. As such, it notes that it appears from the information communicated to the CNIL that the company DEDALUS BIOLOGIE acts as a subcontractor of the treatments implemented on behalf of its customers, laboratories, who are responsible for treatment, insofar as it provides laboratories with IT tools enabling them to implement their treatments and that it acts, in general, only on the basis of their instructions.

31. It is therefore up to the restricted panel to examine, in the light of this quality, the complaints made by the rapporteur against the company.

B. On breaches with regard to the RGPD

1. Failure to supervise the processing carried out on behalf of the controller by a formal legal act

32. Under section 28, paragraph 3, of the RGPD, "Treatment by a subcontractor is governed by a contract or other legal act under Union law or the law of a Member State, which binds the processor to the controller, defines the object and duration of treatment, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the obligations and rights of the controller. This contract or other legal act provides, in particular, that the subcontractor:

at) only processes personal data on documented instruction from the controller, including with regard to transfers of personal data to a third country or to an international organization, unless he is required to do so under Union law or the law of the Member State to which the subcontractor is subject ; in that case, the subcontractor informs the controller of the treatment of this legal obligation before processing, unless the law concerned prohibits such information for important reasons of public interest ;

b) ensure that persons authorized to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;

c) take all measures required under article 32;

d) comply with the conditions referred to in paragraphs 2 and 4 for recruiting another subcontractor; [...] ".

33. The rapporteur considers that it appears from the elements transmitted by the company DEDALUS BIOLOGIE that the various documents framing the contractual relations between the subcontracting company and the laboratories do not include the information required by article 28 of the RGPD. It notes that the general conditions of sale proposed by DEDALUS BIOLOGY at the time when the laboratories accept its service do not contain any of the information required by this article. Likewise, it notes that the required information does not appear either in the maintenance contracts concluded between the company and the laboratories, as transmitted to the CNIL

34. In defense, if the company does not dispute the materiality of the breach of article 28 of the GPPD, it specifies that the conclusion of a subcontracting contract constitutes an obligation both for the controller and for the processor. It concludes that DEDALUS BIOLOGIE cannot be held solely responsible for this failure. It also insists on the efforts made to comply with the RGPD from 2018 and indicates that new models of subcontracting contract meeting the requirements of article 28 are being deployed.

35. Firstly, the restricted training notes that the fact that the obligation resulting from Article 28 (3) of the GBER rests both with the controller and with the processor has no bearing on the existence of a responsibility own of the subcontractor. It notes that it is the company itself which transmits to the laboratories its own general conditions of sale which act as contractual framework under the RGPD

36. Secondly, the restricted formation notes that the general conditions of sale proposed by DEDALUS BIOLOGIE at the time when the laboratories accept its service, transmitted by the company as part of the control procedure, do not include any of the information required by article 28 of the RGPD. Likewise, it notes that the required information does not appear either in the maintenance contracts sent to the CNIL, concluded between the company and the laboratories. By way of illustration, the maintenance contract concluded between NETIKA SAS (old name of DEDALUS BIOLOGIE) and society [...] September 13, 2019, certainly includes a part dedicated to personal data, but which does not meet the requirements of article 28 of the RGPD and covers obsolete provisions of the IT and Freedom law. The restricted training also notes that the example of an assistance and maintenance contract, submitted by the company to the CNIL delegation during the on-site inspection of March 1, 2021, also does not contain the mandatory information under Article 28 of the GSPD. If it contains a part dedicated to personal data, this does not meet the requirements of this article.

37. Third, the restricted formation notes that the company DEDALUS BIOLOGIE has deployed new models of subcontracting contract and has taken steps to comply with the provisions of article 28 of the GSPD. However, the fact remains that the company initiated proceedings with its customers in the context of these proceedings and that it was not in compliance at the time of the findings made by the CNIL. It is still not in the case of certain contracts, since the company has indicated, in his last observations, continue its actions aimed at transmitting updated contracts to all of its customers and negotiating them if necessary.

38. Consequently, in the light of all these elements, the restricted formation considers that these facts constitute a breach of Article 28 (3) of the GBER, which the company does not dispute, moreover.

2. Sur le manquement à l’obligation pour le sous-traitant de ne traiter les données à caractère personnel que sur instruction du responsable de traitement

39. Under Article 29 of the GDPR, "The subcontractor and any person acting under the authority of the controller or under that of the processor, who has access to personal data, cannot process this data, except on the instruction of the controller, unless required to do so by Union law or the law of a Member State. ".

40. The rapporteur notes that DEDALUS BIOLOGIE has extracted a larger volume of data than that required in the context of the migration requested by its customers, laboratories [...] and [...]. The rapporteur concludes that DEDALUS BIOLOGIE has processed data beyond the instructions given by the controllers, which constitutes a breach of Article 29 of the GSPD

41. In defense, the company specifies that the extraction tool available on the old DXLAB ONE software, used for these migrations, only allowed a total extraction of the patient file from the laboratory concerned, without the possibility of adding filters on the fields to be exported to extract only some. It adds that DEDALUS BIOLOGIE operated the migration of data from its customers to a new software solution in accordance with their instructions, since once the data file to be migrated has been established, the company always requested validation of the laboratory concerned before carrying out the migration. The company concludes that it has carried out the extraction operations necessary for migration and that the perimeter of the data to be migrated has been defined as such in accordance with the instructions of the laboratories concerned and taking into account the technical limitations of the tools used at the time to perform these migrations.

42. In its last observations in response, the company indicates that it "does not intend to undermine the reality of its failure to carry out the processing of personal data, as a subcontractor, only on the only instructions from the controller. ". However, it recalls the significant investments made by the company over the past several years to develop new software solutions in particular. She adds that it is precisely because she was aware of the obsolete nature of MEGABUS software and associated migration tools that she set out to develop a more innovative solution that respects the requirements of RGPD and that is how 'she offered to her customers, from 2018, to switch to KALISIL software .

43. First, restricted training notes that, as will be established below, the various elements collected within the framework of laboratory controls [...] and [...] have established that DEDALUS BIOLOGIE has extracted a larger volume of data than that required for the migration requested by its customers.

44. Regarding the laboratory [...] the on-site inspection report mentions that the latter requested, "according to the recommendations of DEDALUS", data migration from the MEGABUS solution (also called DXLAB ONE) to the KALISIL solution for patients who carried out a medical analysis after May 7, 2017. However, the data extracted by DEDALUS BIOLOGIE for this migration included 8,403 lines relating to patients whose date of last visit was before May 7, 2017, which represents 6.5% of the total volumetricity.

45. Regarding the laboratory [...] restricted training notes that, as part of a software change, the laboratory asked DEDALUS BIOLOGIE to extract the patient database contained in the DXLAB ONE software in order to migrate to other software edited and maintained by a third company. To this end, the company [...] has provided DEDALUS with a list of fields to be extracted in order to be imported into the new software solution. The columns "comment P" (containing information such as "100% STERILITY", etc.) and "comment D" (containing information such as "TUBERCULOSE OSSEOUS UNDER RIFATER", "XARELTO" (medicine), "DIABETE", etc.) were also extracted, although they were not included in the list of fields to be extracted.

46. Thus, the restricted formation concludes that the data extracted by the company DEDALUS BIOLOGIE, including in particular the columns "comment P" and "comment D" which should not have been, cover a wider field than the request of the controller. treatment.

47. Secondly, restricted training notes that, with regard to the validation of extractions by the laboratories concerned, the company produces only two documents entitled "SAV tickets" in support of its statements, which are not in reality sufficient to demonstrate that it carried out the extraction operations in accordance with laboratory instructions and that the laboratories have validated the content of the extractions carried out. These "SAV tickets" only allow reports of steps taken by the company DEDALUS to be sent to two laboratories to send files with extractions and in no way demonstrate a validation that would have been given by the laboratories concerned.

48. The restricted formation also notes that the company claims, in the case of [...], to have had "a" return of email "confirming the conformity of the said file with the instructions of the laboratory". This statement is inaccurate since, according to the "SAV ticket", the "return of mail" comes from the company [...], a third-party company publishing and now another software to which the extracted data had to be migrated. Thus, this email cannot be valid validation of the extraction by the customer, insofar as the company [...] is a third company.

49. Third, the restricted formation considers that the company cannot rely on an unsuitable tool to justify having exceeded the instructions of the controllers. It could, for example, have opted for another tool allowing it to comply with the instructions given by its customers, as it indicates now, or at least deleted all the data which should not have been extracted.

50. Given these elements, the restricted formation considers that the company DEDALUS BIOLOGIE has processed data beyond the instructions given by the data controllers, which constitutes a breach of article 29 of the GSPD

3. Failure to comply with the obligation to ensure data security

51. Under Article 32 of the GPD, "1. Given the state of knowledge, implementation costs and nature, range, the context and purposes of the processing as well as the risks, whose degree of probability and severity varies, for the rights and freedoms of natural persons, the controller and the processor implement the appropriate technical and organizational measures to guarantee a level of security adapted to the risk, including among others, as required :

a) the pseudonymization and encryption of personal data;

b) means to guarantee the constant confidentiality, integrity, availability and resilience of processing systems and services;

c) means to restore the availability of personal data and access to it within an appropriate timeframe in the event of a physical or technical incident

d) a procedure aimed at regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the safety of treatment.

2. When assessing the appropriate level of security, particular account is taken of the risks posed by the processing, resulting in particular from destruction, loss, alteration, unauthorized disclosure of personal data transmitted, kept or otherwise treated, or unauthorized access to such data, accidentally or unlawfully [...] ".

52. The rapporteur notes that, as early as March 2020, a former employee of DEDALUS BIOLOGIE had brought security problems to his employer. According to the rapporteur, it is established that he had indeed made relevant alerts, which emerges from internal exchanges between [...].

53. The rapporteur then notes that, November 4, 2020, the National Information Systems Security Agency (below "ANSSI") observed only data from laboratory patients [...] were sold on the darknet, Internet sub-network with anonymization functions and in which not all resources are necessarily indexed by search engines. ANSSI has transmitted to the laboratory concerned a file containing 56 lines with personal data of its patients. The same day, the file as well as the ANSSI email were transmitted to the company DEDALUS BIOLOGIE by the director of network information systems [...], within which the laboratory [...] appears.

54. The rapporteur then notes that, on 23 February 2021, the confidential information of nearly 500,000 patients was disseminated on the Internet. As of February 24, 2021, the company DEDALUS BIOLOGIE mandated the company [...] to carry out a mission of Forensic analysis. The said company issued its investigation report on March 26, 2021.

55. The rapporteur further notes that, under the terms of its investigations, DEDALUS BIOLOGIE has established a correspondence between the data in the file transmitted by the ANSSI and the data present on an FTP server hosted on the MEGABUS telemaintenance server (MEGAEXT) . About 90% of the personal data in the file subject to the violation, published on the Internet in February 2021, was present on the FTP MEGABUS (MEGAEXT) server.

56. According to the rapporteur, numerous technical and organizational shortcomings in terms of security were noted during CNIL controls and can be found against DEDALUS BIOLOGIE. He noted in particular the absence of a specific procedure with regard to data migration operations, the absence of encryption of personal data stored on the FTP MEGABUS server, the absence of automatic erasure of data after migration to other software, the lack of authentication required from the Internet to access the public area of the FTP MEGABUS server, the use of user accounts shared between several employees with regard to the private area of this same server and the absence of a supervision procedure and the rise of security alerts on the server.

57. The rapporteur concludes that, despite prior alerts, DEDALUS BIOLOGIE has not implemented satisfactory security measures to frame the FTP MEGABUS server, which not only allowed access to the data concerned by unauthorized third parties, but also the disclosure on forums of a file containing the medico-administrative data of nearly 500,000 people.

58. In defense, the company reports, with regard to the data breach that took place in February 2021, than the investigations carried out by the company [...] have concluded that there are intrusions on the DEDALUS BIOLOGY FTP server. However, it specifies that, although the report notes that 90% of the content of the file circulating on the Internet was also available on the FTP server, it should be noted that, a contrario, the report of [...] said that about 10% of the file circulating on the Internet (or about 43,000 records) was not on the FTP server and that approximately 50% of the data on the FTP server was not in the file circulating on the Internet. DEDALUS BIOLOGIE concludes that "in view of the remaining inconsistencies between the data present on the FTP server and those which have circulated on the Internet, the combined investigations of Dedalus Biologie and [...] which ended on March 26, 2021, did not allow the facts at the time to conclude with certainty that the said intrusions were at the origin of the cyber attack carried over by the press. ". Finally, the company reports on the various security measures put in place since then.

59. In his last comments in response, the company indicates that it does not intend to contradict the observations made by the rapporteur on the absence of satisfactory security measures framing the FTP MEGABUS server and specifies that it is aware of the defects of the old technology used by its teams, but again highlights developments in security and its significant compliance efforts.

60. Firstly, the restricted formation notes that it appears from the findings made by the CNIL that the company did not have a specific procedure established with regard to data migration operations. No security measures were planned in particular for sending the data, however sensitive within the meaning of Article 9 of the GSPD. Data extraction files were therefore sent "clear" (that is to say readable directly, because not previously transformed via a hash function) without any encryption or security measures. However, to ensure the security of migration operations with such a large number of sensitive personal data, specific procedures should be put in place to describe step by step the sequence of tasks to be performed, the roles and associated responsibilities. Such procedures also provide a detailed account of operations for laboratories or customers whose data has been processed and transmitted. The absence of such procedures poses an easily avoidable risk of compromise on the personal data concerned, which can lead to the presentation of privacy data.

61. Secondly, the restricted formation notes that several successive alerts should have led the company to carry out investigations into its security system. Yes, with regard to the report made by the ANSSI in November 2020, the company indicates that it has undertaken internal investigations to identify the possible source of compromise and that it has implemented several corrective and preventive actions, it did not carry out sufficient diligence to identify whether the data from other laboratories could have been compromised and whether existing vulnerabilities were at the origin of the compromise. The restricted formation considers that the company did not take into account the security problems it encountered at the time, which ended up leading to the data breach of February 2021 which concerned nearly 500,000 people.

62. Third, the restricted formation notes that several basic safety measures were lacking in this case. The restricted training first notes that the personal data stored on the FTP MEGABUS server were not encrypted and were therefore directly legible, whereas these are sensitive data which, by their nature, require measures specific security.

63. In addition, as part of the migrations from DXLAB ONE software to another software, the data, once transferred to the server, was not automatically deleted. However, the conservation of the data incurs a risk of leakage or compromise of said data.

64. The restricted formation then notes that the public area of the server, in which certain laboratory data were stored for migration purposes, was freely accessible without authentication from the Internet. It was not until November 4, 2020, the date on which the security incident was reported by the ANSSI, that "anonymous" access without authentication to the FTP server was cut and, on February 23, 2021 only, that this server was definitively switched off. In addition, the private area of the server was accessible with user accounts shared between several employees. However, the use of shared accounts poses a disproportionate, yet easily avoidable, risk to the security of treatment and considerably increases the risk of compromise, in particular due to the circulation of the password between several people. In addition, joint (or shared) accounts do not allow a good application of the enabling policy, which is nevertheless a fundamental element of the security of information systems, aimed at limiting access to only data that a user has need.

65. The restricted formation finally underlines that no procedure for supervision and reporting of security alerts was implemented on the FTP server. Connections from suspicious IP addresses were therefore neither detected nor processed. The company's digital investigation report [...] confirms that some suspicious connections have been identified, which confirms that the server was exposed on the Internet and that unauthorized connections to this server took place, without them being identified through these supervision and alert procedures.

66. Lastly, the restricted formation notes that the alleged breach does not consist of data breaches as such, but by the security flaws that are causing the intrusion on the company's servers, noted during the checks carried out by the CNIL. It underlines that this rapporteur's proposal, aimed at punishing security breaches that cause violations, is in line with previous decisions of the restricted training. So, in its deliberation n ° SAN 2019-007 of July 18, 2019, the restricted formation noted "that the basic security measures had not been taken before the development of its website [by the sanctioned company] which made possible the occurrence of the personal data breach ".

67. The restricted formation stresses, however, that the consequences of these safety deficiencies are not excluded from the scope of its analysis, in that they reveal the realization of the risk caused by these safety defects. The restricted formation thus observes that the existing vulnerabilities have been exploited and that several data violations have taken place: intrusions on the FTP server, followed by the dissemination of a file containing the medico-administrative data of nearly 500,000 people on forums in February 2021. In this regard, the restricted formation notes that the intrusions on the FTP server are proven and that they are not disputed by the company, these having been established by the investigations carried out by [...] on behalf of the company.

68. Regarding the dissemination of the file on forums, if the company indicates that it cannot be concluded with certainty that the intrusions on the FTP server are at the origin of the data breach which led to the dissemination of this file, the restricted formation nevertheless observes that it appears from the elements of the file that approximately 90% of the data in the published file were present on the FTP server. The file distributed on the forums contains in particular comments which should not have been extracted by DEDALUS BIOLOGIE in the context from the migration from the MEGABUS solution to another solution ("comment P" and "comment D" mentioned above). These different elements tend to show the link between the data in the file accessible on the Internet and that which was on the FTP server

69. So, the lack of security measures to protect the server in question - including the lack of encryption, the absence of automatic erasure of data after their migration, the lack of authentication required from the Internet to access the public server area and the use of shared user accounts - has led to making this data accessible to third parties, despite alerts prior to the personal data breach that led to the disclosure of a file containing the medical and administrative data of nearly 500,000 people.

70. Consequently, the restricted formation considers that the company DEDALUS BIOLOGIE has breached its obligation resulting from the provisions of article 32 of the Regulation, which the company does not dispute, moreover.

III. Sur la sanction et la publicité

71. Under III of article 20 of the law of January 6, 1978 as amended, "When the controller or his processor does not comply with the obligations resulting from the regulations (EU) 2016/679 of April 27, 2016 or of this law, the president of the National Commission for Information Technology and Freedoms can also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, enter the restricted formation of the commission with a view to delivery, after adversarial procedure, one or more of the following: [...]

7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the annual worldwide turnover total for the previous year, whichever is greater. In the cases mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted formation takes into account, in determining the amount of the fine, the criteria specified in the same article 83 ".

72. Article 83 of the GSPD provides that "each supervisory authority shall ensure that the administrative fines imposed under this article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive ", before specifying the elements to be taken into account when deciding whether to impose an administrative fine and when deciding on the amount of this fine.

73. First, on the principle of fining, the company insists in defense on the absence of violation committed previously, on its important cooperation with the CNIL, on the remedial measures implemented since the personal data breach and on the significant compliance efforts undertaken.

74. Restricted training recalls that it must take into account, for the imposition of an administrative fine, criteria specified in section 83 of the GTRD, such as the nature and gravity of the violation, the number of people affected and the level of damage they suffered, the fact that the violation was committed negligently, the measures taken by the controller to mitigate the damage suffered by the persons concerned, the degree of cooperation with the supervisory authority and the categories of personal data concerned by the breach.

75. The restricted training notes, first of all, the numerous security faults framing the FTP MEGABUS server, which was insufficiently protected, which led to a massive personal data breach: a large amount of data concerning 491,840 people were disclosed .

76. The restricted formation insists, moreover, on the extremely damaging nature of the violation for the persons concerned, insofar as, in addition to civil status data (civility, surname, first name), postal, electronic and telephone contact details, very sensitive data have been disclosed. The file subject to the personal data breach contains indeed references relating to HIV infection, cancer or genetic diseases, pregnancy, drug treatments followed by patients or even genetic data. The data concerned by the violation are health data, which are particular categories of data within the meaning of Article 9 of the GSPD (known as "sensitive" data). Given the nature of the data concerned, the restricted formation considers that the company should have been particularly vigilant with regard to the security of such data, to prevent them from being reused by unauthorized third parties, thus harming those affected by the data breach. However, the negligence committed in matters of security has been multiple and particularly serious, while the company deals with sensitive data and has already been alerted to the potential existence of risks, some of which have occurred. The restricted formation considers that the breach which led to the data breach is of a particular gravity.

77. It also underlines that with regard to the nature of these personal data, those affected by the violation are prime targets for phishing ("phishing") personalized (sending false messages or false documents to retrieve personal information or money) : potential pirates now have their social security number, from the name of their prescribing doctor, the date of their examination, the name of the laboratory or even, in some cases, medical information. The nature of the personal data compiled also underpins the risk of identity theft, false prescriptions (which can use the names of doctors), dummy distress messages containing the health problems mentioned.

78. The restricted formation finally notes that the company has not taken any specific measures to stop the distribution of the file once it has been aware of it. It was the president of the CNIL, and not the company DEDALUS BIOLOGIE, who had an interim assignment issued so that the disputed file could be effectively blocked.

79. If the restricted formation notes that the company cooperated throughout the procedure with the services of the CNIL, it considers that safety deficiencies, which enabled the data breach to be carried out , including both intrusions on the FTP server and online file distribution, result from negligence in the basic security rules of information systems which has led to the making of personal data processed by the company accessible to unauthorized third parties.

80. Restricted training also notes that, the fact that DEDALUS BIOLOGY processed personal data beyond the instructions given by the controllers and therefore committed a breach of Article 29 of the GPD contributed to aggravating the violation, since comments which should not have been extracted were then found in the file distributed online and accessible on the forums.

81. The restricted formation finally recalls that the various documents framing the contractual relations between the company DEDALUS BIOLOGIE and the laboratories do not include the information required by article 28 of the RGPD, which is also not such as to ensure effective protection of personal data processed through contractual guarantees.

82. Consequently, the restricted formation considers that an administrative fine should be imposed in the light of the breaches of Articles 28, paragraph 3, 29 and 32 of the GSPD

83. Secondly, with regard to the amount of the fine, the company emphasizes that [...]. The company insists that the financial situation of the company must be taken into account, so that the fine imposed is adapted to the contributory capacities of the controller.

84. The restricted formation recalls that paragraph 3 of article 83 of the Regulation provides that in the event of multiple violations, as is the case here, the total amount of the fine may not exceed the amount fixed for the most serious violation. Insofar as the company is accused of a breach of Articles 28, 29 and 32 of the GBER, the maximum amount of the fine that can be retained amounts to 10 million euros or 2% of annual turnover worldwide, whichever is greater.

85. The restricted formation also recalls that administrative fines must be dissuasive but proportionate. It considers in particular that the activity of the company and its financial situation must be taken into account for the determination of the penalty and in particular, in the event of an administrative fine, its amount. As such, it notes that the company reports a turnover of 18.8 million euros in 2019 and 16.3 million euros in 2020, for a net result amounting to 2,226,949 euros in 2019 and 1,437,017 euros in 2020.

86. In view of these elements, the restricted formation considers that the imposition of a fine of 1,500,000 euros appears justified.

87. Thirdly, with regard to the publicity of the sanction, the company indicates that the cyber attack which implicated it was the subject of a very important publicity, since several press articles were published, then relayed so much in paper and television press, in France and abroad. The incident was also the subject of several communications from the CNIL. She adds that this media coverage will have particularly harmful effects for her, not only in the context of her activity, but also on her turnover.

88. Given the gravity of the shortcomings committed, particularly the shortcomings relating to security, the number of people concerned and the consequences for them, the restricted formation considers that the publicity of the decision is justified.

BY THESE GROUNDS

The restricted formation of the CNIL, after having deliberated, decides to:

- impose an administrative fine of 1,500,000 (one million five hundred thousand) euros against DEDALUS BIOLOGIE;

- make public, on the CNIL website and on the Légifrance site, its deliberation, which will no longer identify the company by name after the expiration of two years from its publication.

President

Alexandre LINDEN

This decision is subject to appeal to the Council of State within two months of its notification.