Since the entry into force of the GDPR, companies affected by a data breach have the obligation to report it to the Commission Nationale Informatique et Libertés (CNIL) under penalty of a fine. A risk of sanction which has motivated companies to be more transparent about data leaks and computer attacks affecting them. In its annual activity report, the CNIL explains that it received 5,037 personal data breach notifications in 2021, an increase of 79% compared to the previous year.
These notifications come mainly from small businesses: SMEs represent 43% of reports while micro-enterprises represent 26%. The Cnil considers that this overrepresentation of small businesses is explained both by their lack of maturity in terms of cybersecurity, but also by the “wave” effect experienced by notifications: when a subcontractor is affected by an attack IT, it must inform its various customers, which then leads them to also notify the CNIL of a data breach. The report indicates that the Commission was able to receive more than 300 notifications in a single day as a result of this phenomenon.
The CNIL specifies the nature of the violations reported to it, according to its own classification. The overwhelming majority of notifications (4017 notifications) relate to data privacy loss, meaning that private data has been exposed or stolen by attackers. The CNIL notes that the two other scenarios, loss of availability and loss of integrity, doubled in 2021. Many notifications combine loss of confidentiality and loss of availability or integrity.
At the origin of these notification figures, the CNIL underlines the growing importance of ransomware attacks which marked the year 2021 and affected many French organizations. “The CNIL thus received more than 2,150 notifications, or 43% of notifications for this type of attack alone,” indicates the commission’s report. External malicious acts account for the majority of data breach cases, at 59% of cases. The Cnil received nearly 3,000 notifications resulting from computer hacking, a figure up 128% compared to 2020.
In 2021, the CNIL had 245 employees for a total operating budget of 21.8 million euros. In addition to its role in reporting data leaks, the CNIL also carries out a mission of control and sanction on compliance with the legislation in force on data protection: the Commission thus carried out 384 checks in 2021, which resulted in 135 formal notices (compared to 49 in 2020) and 18 sanctions, for a total fine of 214 million euros. “Of these 18 sanctions, half involve a breach related to the security of personal data” writes the CNIL.