French Watchdog issues fine to car rental company Hertz for allowing data leak of 36,000 customers, making it the first of its kind in France. With GDPR looming, companies need to take data security seriously or else face similar consequences.

BY RAVI PATHER, EPERI

The car rental company Hertz has been hit with a fine of 40,000 euros ($46,920) after personal data of 36,000 customers was found to be easily available online.

France’s privacy regulator (CNIL) issued the fine, stating Hertz France had failed to meet its data security obligations, making it the first of its kind in France for this type of data breach after a new law “for a digital republic” was passed in 2016.

This Hertz France case should act as a serious warning to all enterprises across Europe and for enterprises with subsidiary offices in France regarding the treatment of Personal Identifiable Information (PII) and sensitive data of its customers. To simplify, integrate data and generally make their jobs easier, many enterprises leverage CRM applications to manage and process customer data and transactions. Many of the leading CRM applications are cloud-based CRM SaaS applications.

CNIL and other European regulators are waking up to the fact that while these cloud applications do offer some level of security for their infrastructures, they do not offer adequate data protection. This is vital in the coming year because, under new General Data Protection Regulation (GDPR) laws, regulators now have the ability to fine enterprises up to 4 % of group revenues where enterprises are in breach of strict guidelines – especially when transferring, processing or storing PII data in SaaS based CRM and other cloud applications. 

The countless cases in the press of late demonstrate that enterprises still have a long way to go to firstly understanding the treatment of PII data under the guidelines of GDPR, let alone implement it. Under GDPR, the principles of "security by design" and "comprehensive security" are a set of guidelines to protect sensitive PII data using protection techniques like encryption when working with third party cloud service providers or data processors. 

This means that any data deemed sensitive is encrypted or tokenized to prevent any unauthorized parties from accessing the information. Should the cloud provider’s defenses be breached, even if attackers could take the information, it would be unreadable without the cryptographic keys.

Crucially, when protecting data with encryption, the organization should also maintain control of the encryption keys in order to uphold the integrity of its own data. Hertz can count themselves lucky as the fines would have been much greater had this data leak occurred under GDPR.

eperi's Cloud Data Protection solutions are designed to address the GDPR principles of "security by design" and "comprehensive security" for leading SaaS applications such as Salesforce and Office 365 to protect sensitive PII data.