Failing to patch the Meltdown and Spectre processor flaws that were disclosed last week could expose organizations to steep fines under the EU’s General Data Protection Regulation, once it takes effect in May, the UK’s chief data security authority warned last week.
Nigel Houlden, the Head of Technology at the UK Information Commissioner’s Office (ICO) issued a statement on January 4 saying the ICO was aware of reports of the “significant flaws in a wide range of computer processors” and urging UK firms affected by those flaws to apply patches “as soon as they are released.”
“All organisations have a duty to keep personal information in their care secure and that involves having layered security defences in place, including procedures for applying patches and updates, to help to mitigate the risk of exploitation,” Houlden said. His statements were first reported over at the blog HealthInfoSecurity.
GDPR is generally seen as a data privacy focused law. However, it also sets a high bar for organizations that hold personally identifiable information on EU citizens (aka “data controllers”) to prevent mishaps. Specifically, data controllers are charged with adopting “appropriate technical and organisational (sp) measures” to prevent “unauthorised or unlawful processing of personal data” as well as “accidental loss or destruction” of that data.
In a blog post on January 5, Houlden expanded on the warning, saying that Meltdown and Spectre had clear implications for data controllers. “If these vulnerabilities are exploited on a system that is processing personal data, then that personal data could be compromised. Alternatively, an attacker could steal credentials or encryption keys that would allow them to access personal data stored elsewhere,” he said.
Meltdown and Spectre are, of course, the serious flaws found in the implementation of a feature known as “speculative execution” in a wide range of processors, dating back more than 20 years. When leveraged, they could expose sensitive information stored in kernel memory to prying eyes - a particular scary prospect especially for multi-tenanted cloud environments, where a single processor may support hundreds or thousands of different virtual computers belonging to different organizations. (Security Ledger has pulled together a must read list on Meltdown and Spectre, which you can check out here.)
Failure to patch known vulnerabilities like Meltdown and Spectre would be a factor that the ICO would take into account “when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.”
The May go-live date shouldn’t give firms the idea that they can sit on patches for the new flaws, either, Houlden warned. Under GDPR organizations might be held liable for a breach of security that relates to measures, such as patches, that should have been taken prior to the go-live date, he said.
Of course, the ICO is an independent authority that enforces information laws in the UK, so Houlden’s warnings apply narrowly to UK firms or those with employees or customers in the UK. Still, it is a warning shot over the bow of firms in the U.S., as well.
“Many companies don’t realize that all it takes is having one EU employee, one EU customer or one third party company that handles data that has an EU presence - all of those would qualify you falling under this regulation,” said Michael Bruemmer , the Vice President of Experian’s Data Breach Resolution Group told me in a conversation we had last week on The Security Ledger podcast.
Many of the 28 EU member states have discussed how to work collaboratively with Attorney General in the US to coordinate breach notifications resulting from GDPR’s heightened notification requirements. (Businesses are given 72 hours to disclose a breach to regulators.)
“In effect you’ve created your first global notification standard that heretofore we haven’t had,” Bruemmer said.
Rumblings from a regulator in the UK traditionally haven’t been the kind of thing that would have US companies running to their auditors, IT leads or attorneys. In this case, however, the ICO’s statements on Meltdown and Spectre might be seen as a kindly heads up to companies in the US that increased scrutiny around data security and everything (like patching) that goes along with it is just around the corner. The time to start paying attention and acting is now.