France’s data protection authority (CNIL) has imposed a €1.7 million fine on Nexpublica France for inadequate security measures in its social services software, PCRM, after a data breach exposed sensitive information on individuals with disabilities.
The penalty follows an investigation triggered by reports in November 2022 from Nexpublica’s clients. These clients, including several French departmental houses for disabled persons (MDPH), alerted the CNIL after users of the PCRM portal reported being able to access confidential documents belonging to third parties. CNIL’s inspection concluded that the breaches stemmed from systemic and long-standing security failings in the software platform.
Nexpublica France, formerly known as Inetum Software France, specializes in developing IT systems and software for the public sector. Its product, PCRM (used in the management of citizen relations for social support services), handles highly sensitive personal data, including medical and disability-related information. Given the sensitivity of this data, CNIL found the lack of appropriate security measures particularly concerning.
The investigation revealed that the vulnerabilities present in PCRM stemmed from a general failure to implement industry-standard technical and organizational protections. According to CNIL’s restricted committee, which is responsible for issuing penalties, these flaws were not only known to the company but had been flagged in several internal and external audit reports prior to the incidents. Nevertheless, corrective actions were taken only after data breaches had already occurred.
The CNIL determined that Nexpublica had violated Article 32 of the General Data Protection Regulation (GDPR), which obliges data controllers and processors to ensure an adequate level of security in relation to the risks posed by data processing. The regulator highlighted multiple aggravating factors in this case: the sensitive nature of the data, the high number of individuals affected, and the fact that the company offers professional IT and software services, making its negligence inexcusable.
Despite the gravity of the breach, CNIL chose not to issue a compliance order since the company had already implemented fixes after the incidents. However, the financial penalty reflects both the seriousness of the security failures and the firm’s capacity to pay.
Leave a Reply