Reduction of damages awarded for unpermitted use of client data: a direct consequence of the victim's insufficient security measures

By Gabriel Voisin, Daniel Hope


In this case, a French e-commerce operator noticed that its client list, containing the email addresses of 4.7 million clients and prospects, was compromised. It noticed this once advertisements from a competitor started being received by fictitious email addresses, set-up purposely to alert the e-commerce operator of any security breaches. The competitor admitted to obtaining the client list from an employee of the e-commerce operator. The employee used her credentials, which were also being used by four other employees, to access the information. The client list was used by the competitor on several occasions for duration of three months. He also shared part of the list with advertising agencies for different publicity campaigns.

The Tribunal de Grande Instance (“TGI”) of Paris handed down a judgment proclaiming the competitor's liability for appropriation, unbeknownst to the e-commerce platform, of client and prospective client email addresses, for personal gains. The TGI also considered that the advertising agencies were negligent in acquiring client list information at a very generous price without questioning the conditions in which the seller had itself acquired the information. According to the TGI, this price, too weak to permit an injection of investment which is required for the creation and maintenance of such a large client list, ought to have alerted the advertising agencies to the dubious origins of the information.

Subsequently, the e-commerce platform successfully obtained the conviction of the competitor and the advertising agencies. However, the TGI deemed the e-commerce platform to be responsible for 30% of the damages it incurred as a result of the absence of firm rules on client database access. Without explicitly quoting the security obligations laid down by the French Data Protection Act, the TGI sanctioned the plaintiff for its lack of security measures in the management of the credentials.

The e-commerce platform claimed that it implemented several measures to ensure the security of its client list including (i) the use of fictitious email addresses to identify improper use of client data; (ii) the implementation of confidentiality obligations in the contracts of the e-commerce platform employees; (iii) the use of credentials to access the client database; (iv) logging accesses to the information; (v) the provision of security services by exterior companies; and (v) the development of perfected IT and technical infrastructure.
Unfortunately, this was deemed insufficient by the TGI. According to the TGI, the fact that the credentials used by the unfaithful employee were also being utilised by four different individuals within the company, including a designer (who, at first-glance, had no need to access the information, noted the TGI), demonstrated a degree of negligence in the management of credentials attributable to the e-commerce platform. Consequently, it was deemed that the e-commerce platform contributed to the damages it incurred by 30% as a result of not implementing appropriate security measures on the management of credentials giving access to personal data of clients and prospects. It followed that €30,000 would be subtracted from the €100,000 of damages that the plaintiff was awarded.

Take away from this court decision: (i) companies must ensure that they satisfy their security obligations: insufficient or a lack of security measures expose them to reduced damages or denial of damages in case of improper use of data by third parties; and (ii) list vendors must be very cautious when acquiring client list information: very generous prices should raise questions. A copy of the court decision (in French) can be found here.