Out-Law / Your Daily Need-To-Know

Lack of obvious security failings could help Orange avoid data breach fine, says expert

Out-Law News | 09 May 2014 | 3:14 pm | 3 min. read

The largest mobile telecoms company in France is unlikely to face enforcement action despite the company experiencing two major data breach incidents in the space of a few months unless the French data protection authority can identify obvious failings in the company's security practices, an expert has said.

Orange France earlier this month announced that personal data belonging to some of its customers had been stolen following a cyber attack. According to various media reports, including the Financial Times and The Register, data about more than one million customers was compromised in the attack.

Orange France confirmed that data on customers' names, email address, mobile and landline phone numbers and dates of birth was among the information stolen and warned customers that the hackers could use the data to conduct 'phishing' scams in an effort to obtain further data about them.

The company said it had fixed the security vulnerability that the hackers had exploited on 18 April.

"The necessary actions have been implemented to correct technical malfunctions and prevent further unlawful access to these data," Orange France said, according to a translation of the company's statement. "For the sake of transparency, we informed all persons concerned of the existence and resolution of this fact."

It is the second major data breach that Orange France has reported this year. In February it announced that the data of approximately 800,000 of its customers had been stolen because of a flaw in the security of its website.

Paris-based data privacy expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said that Orange France would not necessarily face sanctions from the Commission nationale de l'informatique et des libertés (CNIL), the data protection authority in France, despite experiencing two major data breach incidents in close proximity.

"It is possible for companies to be compliant with data protection laws and still fall victim to data breaches," Richard said. "Both the law and regulators acknowledge that the security of personal data cannot be guaranteed. It is left up to businesses to determine what measures are proportionate and relevant for them to implement to appropriately secure the personal data they are responsible for."

"Companies often ask what specific security measures they need to put in place to comply with data protection laws, but the reality is that neither those laws nor regulators set out the specific technical measures businesses have to implement. This reflects the fact that the kind of data businesses are processing is changeable as well as the fact that both security software and hackers' techniques are continually evolving," she said.

"The difficulty CNIL and other data protection authorities have in determining whether the security measures individuals have in place were sufficient to comply with the law is that they often lack the technical expertise to identify faults and where reasonable safeguards could have been put in place. If the authorities can spot specific security problems that could have been feasibly addressed they could take enforcement action, including fining businesses that experience data breaches stemming from those security failings," Richard said.

Richard said that, as a provider of publicly available electronic communications services operating within the EU, Orange France is under an obligation to notify certain data breaches to CNIL and customers.

Under changes to EU law that came into force in August 2013, all providers of publicly available electronic communications services in the EU have to inform national regulators within 24 hours of detecting a personal data breach they have experienced. The companies must supply the regulator with a range of information about the breach, including the estimated date and time of the incident, the nature and content of the personal data concerned and how many individuals are affected.

The telecoms businesses also generally have to notify individuals affected by a personal data breach "without undue delay" in cases where the breach is "likely to adversely affect the personal data or privacy" of those individuals.

EU privacy watchdog the Article 29 Working Party recently issued guidance to further clarify electronic communication service providers' data breach notification obligations under the new regime.

Richard said that the increasing risk of cyber attacks was an "international phenomenon" and not limited to companies operating in France. She cited high profile examples of data breaches, including those suffered by US retailer Target and technology giant Sony, as highlighting the risks all organisations face.

The expert said that sanctions from regulators should worry businesses less than the damage that data breaches can have on their reputation.

"The damage to a businesses' image and the feeling among consumers that data is not secure with them is of greater risk to companies that fall victim to data breaches than a sanction they could get from regulators," Richard said. "That is why companies which have no obligation to disclose breaches are very often not inclined to do so."

A recent survey commissioned by the UK government revealed that fewer than a third of UK organisations' worst data security breaches go public. Under proposed new EU data protection laws, however, all organisations would face an obligation to disclose certain personal data breaches to both regulators and the public under certain circumstances.