Meltdown and Spectre: Patch or be Fined by GDPR, Advises U.K.’s Information Commissioner’s Office

In the wake of the disclosure of microprocessor vulnerabilities Meltdown and Spectre, organizations and users are still grappling with their potential impact as vendors continue to roll out patches for them. But these flaws can also teach enterprises another lesson: Patch or be fined.

Nigel Houlden, Head of Technology Policy of the U.K. Information Commissioner's Office (ICO), warned that while the EU General Data Protection Regulation (GDPR) won’t be enforced until May 25, enterprises that fail to properly assess the risks of the vulnerabilities and patch them can face hefty fines as stipulated in the GDPR.

[RELATED: Notable Data Breaches of 2017]

Houlden wrote, “Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.

“And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously,” Houlden added.

[READ: What you need to know about the EU General Data Protection Regulation (GDPR)]

GDPR’s administrative fines range from 2-4% of the company’s global revenue (or €10-20 million, whichever is higher). To further exemplify what EU GDPR can mean to a business’ bottom line: On January 10, ICO fined Carphone Warehouse £400,000 (or US $490,000) after a data breach in 2015 compromised the personally identifiable information of over 3 million of its customers and 1,000 employees.

If the GDPR is a game changer, Meltdown and Spectre should serve as a wake-up call for businesses: No platform is immune. For instance, cybercriminals recently capitalized on the buzz around Meltdown and Spectre, piggybacking on their notoriety to deliver the SmokeLoader downloader Trojan to unwitting users in Germany.

Even social media isn’t impervious to GDPR. Last year, Facebook and a Germany-based education and services provider were embroiled in a legal impasse after the company was ordered to shut down its Facebook Page after Germany’s data protection authority reported that the page tracked its visitors via cookie data.

[READ: State-of-the-art Security for your business’ GDPR strategy]

GDPR’s Principle 7 highlights the importance of information security in preventing data breaches, and ultimately keeping the integrity and privacy of personal data away from cybercriminal hands. Artificial intelligence and machine learning, for instance, complement other security technologies. Both involve analyzing and managing vast amounts of data; organizations are required to sift through databases for a myriad of personally identifiable information that falls under GDPR’s purview.

Unfortunately, threats come in all shapes and sizes: Equifax’s data breach, for instance, was partly caused by an unpatched Apache Struts server. The data breaches in Wendy’s, Target, and the city of Oceanside, California were believed to be caused by point-of-sale malware. Anthem’s data breach was triggered by phishing its employees and installing keyloggers into their systems, while software company Sage’s was reportedly instigated by a malicious insider.
The potential impact of GDPR to the business’ bottom line

Indeed, GDPR compliance entails a tailored and multilayered approach: Setting up defenses at each level of the infrastructure that stores and processes personal data — from the business’ physical perimeter to its online gateways, endpoints, networks, and servers.

As Houlden pointed out in ICO’s advisory, “Systems should be protected at each step, you should be looking at your data flows, understanding how your data moves across and beyond your organisation, both in the electronic format and the ‘real’ world format. You should be evaluating the impact of a data breach, or data loss on you, financially, and your reputation. Data should be secure in rest as well as when in transit—even if a hacker gets the data they shouldn’t be able to read it.”

Trend Micro solutions, powered by XGen™ security, deliver state-of-the-art security capabilities that can be used to help address GDPR compliance. Trend Micro™ XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today’s purpose-built threats that bypass traditional controls and exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.