France Update: Do you comply with the new recommendations of the CNIL regarding password security?

Art. 32 GDPR imposes a security obligation on the controller of personal data. Violation of this obligation may result in penalties of up to 4% of worldwide turnover or €20,000,000.

According to the CNIL, in 2021, “81% of notifications of global data breaches would be related to weak passwords” and 60% of notifications to the CNIL are related to hacking. 

In order to provide a more appropriate framework, the CNIL recently published Deliberation No. 2022-100 on passwords and other shared secrets. The main changes compared to its previous recommendation in 2017 are as follows:

• The CNIL previously defined compliance thresholds in terms of the number of characters and the complexity of the password. Now, it relies on entropy, that is, “the amount of chance contained in a system. For a password or cryptographic key, this corresponds to its degree of unpredictability, and therefore its ability to resist a brute force attack.” The controller using passwords based on a length and complexity equivalent to an entropy of 80 bits.

• On this basis, the CNIL distinguishes 3 use cases:

• • “Simple” password authentication: 80-bit entropy level required;
  • Measures limiting the risk of online attacks are implemented: required entropy level of 50 bits;
  • The unlock code of a device: required entropy level of 13 bits.

• Removed the password renewal requirement for regular user accounts. Renewal is still necessary for “privileged” accounts, i.e. those of the administrator type and/or with extended rights.

• Companies will need to put in place clear rules, in the form of best practices, regarding the creation and renewal of passwords in order to fulfill their security obligation.

To consult the said deliberation in reference: click here.

The CNIL recalls that this recommendation is not normative, but specifies that “the minimum technical and organizational requirements” thus identified correspond to the state of the art. This means that it will verify compliance with these requirements during controls and that non-compliance with them will result in penalties.

Ginestié Magellan Paley-Vincent, France, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact france@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.