In the light of the recent findings about flaws in computer processors, this article summarises the vulnerabilities and how they affect a company’s legal duty to keep personal data safe.
The Security Flaw Summarised
Wednesday the 3rd January saw the large scale reveal of the computer processors flaws known as Meltdown and Spectre. The flaws affect the computer at its core operating system, known as the kernel. This is the core operating system that sits behind the programs and applications which holds all the required sensitive information to enable it to run. It has access to all information and permissions to run any program. The information it holds can include master passwords which, if accessed, could give an attacker access to all of information available from the attacked computer.
Meltdown enables hackers to access information in the computer’s core memory, which is normally highly protected. This affects desktop, laptops and cloud computers. Spectre breaks the isolation between different applications. It allows an attacker to trick programs, even when following best practices, into giving attackers their secrets. Any system can be affected by Spectre, including smartphones and tablets.
Your Company’s Duty to Protect Data
The Information Commissioner (ICO) has taken the opportunity to remind organisations of their duty to keep data safe. A statement by the ICO Head of Technology released 04 January 2018 said that:
“All organisations have a duty to keep personal information in their care secure and that involves having layered security defences in place, including procedures for applying patches and updates, to help to mitigate the risk of exploitation.”
Under current Data Protection Legislation, companies have legal a duty to protect any personal data it holds. This is currently defined as data which relates to a living individual who can be identified from the data. Under the new General Data Protection Regulation (“GDPR”), which will be in force on 25 May 2018, personal data is defined as "any information relating to a data subject" where a “data subject” is an identified or an identifiable person to whom the data relates. For a business, personal data can include information which relates to customers, potential customers, employees and information received from third parties.
Principle 7 of the Data Protection Act 1998 dictates that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The GDPR similarly states “Data controllers and data processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected” (Article 32(1)).
So what are “appropriate technical and organisational measures”?
This is not exactly defined in the new or old legislation as this depends on each company’s needs and requirements i.e. there must be the appropriate level of security for personal data when considering the risks posed to that particular business. Businesses which hold high levels of personal data, such as banks, are required to have to put greater levels of protection in place in comparison to, say, a local florist. Technical measures may include encrypting the data and organisation measures can include having a written data protection policy and educating staff how to follow proper data protection practices.
What Can Your Company Do in the Light of The New Vulnerabilities?
The latest advice confirmed in a statement by the National Cyber Security Centre on the 04 January 2018 as follows:
“All organisations and home users continue to protect their systems from threats by installing patches as soon as they become available.”
It is therefore essential, that all companies install the latest software patches that becomes available on their computers in order to protect them from the recently revealed flaws known as Meltdown and Spectre. Otherwise a company may be deemed to not be taking appropriate technical and organisational measures under data protection legislation.
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.