Privacy Advisor

FRANCE—Sanctions Handed Down for Weak Password Policy

August 16, 2013

By Pascale Gelly, CIPP/E

If there is something which is easy to verify in terms of data security for a data protection authority carrying out an onsite investigation, it is whether a company has a password policy in place and whether it is implemented.

For years, the French data protection authority (CNIL), has repeatedly given the message in successive guidelines that a robust password policy was key to data security. Recently, it has moved from education to sanction and has applied the rules against a company that failed to implement a video surveillance system in compliance with data protection law. There were actually other noncompliances underlined and strong resistance to compliance according to the decision, which led to a sanction of 10,000 Euros and publication of the decision.

During the investigation, the CNIL found that most passwords enabling access to company computers were of five digits; some were made of the first name or last name of the employees or had not been changed in almost two years. The CNIL therefore considered that the shortness, simplicity, easiness to deduct and lack of renewal of passwords did put the data at risk, and it ruled that the company did not comply with its obligation to ensure the security of personal data.

This is a red light on another basic obligation of the data protection law.

Pascale Gelly, CIPP/E, of the French law firm Cabinet Gelly, can be reached at