20221101_bpe_teams_1184_wide

News & Events

;
Insight

Does News of Major Computing Security Flaws Affect Your Company’s Duty to Keep Data Safe?

In the light of the recent findings about flaws in computer processors, this article summarises the vulnerabilities and how they affect a company’s legal duty to keep personal data safe.

The Security Flaw Summarised

Wednesday the 3rd January saw the large scale reveal of the computer processors flaws known as Meltdown and Spectre. The flaws affect the computer at its core operating system, known as the kernel. This is the core operating system that sits behind the programs and applications which holds all the required sensitive information to enable it to run. It has access to all information and permissions to run any program. The information it holds can include master passwords which, if accessed, could give an attacker access to all of information available from the attacked computer.

Meltdown enables hackers to access information in the computer’s core memory, which is normally highly protected. This affects desktop, laptops and cloud computers. Spectre breaks the isolation between different applications. It allows an attacker to trick programs, even when following best practices, into giving attackers their secrets. Any system can be affected by Spectre, including smartphones and tablets.

Your Company’s Duty to Protect Data

The Information Commissioner (ICO) has taken the opportunity to remind organisations of their duty to keep data safe. A statement by the ICO Head of Technology released 04 January 2018 said that:

“All organisations have a duty to keep personal information in their care secure and that involves having layered security defences in place, including procedures for applying patches and updates, to help to mitigate the risk of exploitation.”

Under current Data Protection Legislation, companies have legal a duty to protect any personal data it holds. This is currently defined as data which relates to a living individual who can be identified from the data. Under the new General Data Protection Regulation (“GDPR”), which will be in force on 25 May 2018, personal data is defined as "any information relating to a data subject" where a “data subject” is an identified or an identifiable person to whom the data relates. For a business, personal data can include information which relates to customers, potential customers, employees and information received from third parties.

Principle 7 of the Data Protection Act 1998 dictates that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The GDPR similarly states “Data controllers and data processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected” (Article 32(1)).

So what are “appropriate technical and organisational measures”?

This is not exactly defined in the new or old legislation as this depends on each company’s needs and requirements i.e. there must be the appropriate level of security for personal data when considering the risks posed to that particular business. Businesses which hold high levels of personal data, such as banks, are required to have to put greater levels of protection in place in comparison to, say, a local florist. Technical measures may include encrypting the data and organisation measures can include having a written data protection policy and educating staff how to follow proper data protection practices.

What Can Your Company Do in the Light of The New Vulnerabilities?

The latest advice confirmed in a statement by the National Cyber Security Centre on the 04 January 2018 as follows:

“All organisations and home users continue to protect their systems from threats by installing patches as soon as they become available.”

It is therefore essential, that all companies install the latest software patches that becomes available on their computers in order to protect them from the recently revealed flaws known as Meltdown and Spectre. Otherwise a company may be deemed to not be taking appropriate technical and organisational measures under data protection legislation.

 

These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.

Related articles

  • False reason for dismissal breaches implied term of trust and confidence?

    In this article, Sarah Lee considers the case of Rawlinson v Brightside Group Ltd (UKEAT/0142/17)...

    View

  • Supermarket held vicariously liable for employee deliberate data breach

    In this article, we consider the case of Various Claimants v WM Supermarkets plc in which the Hig...

    View

  • Top 5 Employment Law Cases in 2017 and what to expect in 2018

    In this article Steve Conlay looks at the biggest cases from 2017 and looks forward to what we ca...

    View

Get in touch

Talk to us about your legal challenges and discover how our expert, pragmatic legal advice and broad commercial acumen can help.

Cookies

To provide a personalised and responsive service, we use cookies. Please click here to access our Cookie Policy to understand what cookies we set and what they do.

Manage Tracking

Please select and accept your tracking preferences: