The Commission nationale de l’informatique et des libertés (CNIL – the French privacy authority) has recently found a company in breach of its duty to protect the personal information of its employees because the company used unduly short passwords that were too easy to guess and that were not changed often enough. (See the story on Le Village de la Justice)
According to the CNIL, the employer should have had a password policy that required longer passwords composed of letters, numbers and special characters, and that also required that the passwords be changed frequently.
It was not demonstrated that anyone had actually had his or her password hacked or information accessed; the point was theoretical only, but nonetheless the CNIL imposed a fine of 10,000 euros.
In Canada, many privacy statutes including PIPEDA require data custodians to take reasonable care to keep personal information confidential. Would CNIL’s standards be applied here? Should they be?