Meltdown and Spectre: data protection implications

Last week Google’s Project Zero team published details of serious security flaws, Meltdown and Spectre, which affect almost every modern computer, and could allow hackers to steal sensitive personal data.



In response, the ICO has strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency. In its blog, ICO Head of Technology Policy, Nigel Houlden stated:

“Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation [GDPR] taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”

However, Mr. Houlden also acknowledges that the decision whether to, and when to, patch can be difficult. For example, there may be a performance drop when the patch to resolve a vulnerability is applied or there may be an incompatibility issue between the patch and an organisation’s antivirus solution.

He goes on to state that:

“[u]ltimately, organisations will have to make their own choices on whether to patch, but if they choose not to, we would expect significant mitigations to be in place and well understood.”

This ICO blog post also comments on the GDPR’s new Privacy by Design requirement in relation to data security systems.