GDPR, CPU, Intel, Spectre, Meltdown … and what else?
February 2018 – Although Spectre and Meltdown are security flaws discovered in CPUs manufactured by Intel, they also seem to be affecting CPUs manufactured by AMD as well as ARM-based chips in mobile devices (Qualcomm and Samsung). Even Apple recently admitted that its Mac computers and iOS devices are affected. These security flaws do not exist in the device itself or in its software, but in the architecture of its CPU.
Anyone who exploits these vulnerabilities can access sensitive data stored on physical devices, such as desktops, laptops, smartphones, and tablets as well as sensitive data stored in the cloud. Meltdown allows attackers to access the system’s memory and steal sensitive data. Spectre takes a different approach, tricking applications into disclosing sensitive information that would otherwise be inaccessible.
Even though a number of CPU manufacturers are being affected, it is Intel which is now under pressure, as three class-action lawsuits have already been filed against it in the United States (in California, Indiana and Oregon). The plaintiffs in these lawsuits claim not only that there are design flaws in Intel CPUs, but they also cite Intel’s delay in publicly disclosing these flaws and further allege that the fixes will cause computer slowdowns. (It is not yet clear how much performance will be affected; Intel said in a statement that any impact on performance will depend on the workload.) In California, the plaintiffs also claim that Intel misled consumers about the performance and reliability of computers operating with their processors.
As mentioned, sensitive data such as passwords, photos, emails, and even business-critical documents can be accessed and stolen. Both the current national data protection legislation as well as the incoming EU’s General Data Protection Regulation (GDPR), which becomes effective on 25 May 2018, renders companies liable for security breaches, for failing to take the necessary measures to protect personal data. Possible fines (under the GDPR) for this are as much as 4 per cent of annual global turnover or EUR 20 million (whichever is greater).
The UK’s data protection watchdog – the Information Commissioner’s Office (ICO) – has already warned companies about the situation and has recommended that they apply any and all security updates to mitigate security risks and to safeguard personal data. The ICO has also informed companies that any failure to patch a known vulnerability will be taken into account in the event of a data breach. It can be expected that a similar approach will be adopted by all national data protection regulators across the EU.
Some companies may try to avoid updating their software/firmware – either because they don’t notice or acknowledge these security flaws, or simply because they aren’t willing to accept a drop in the performance of their hardware. However, taking into account the possible consequences and fines to be eventually imposed under the GDPR, we strongly recommend applying all security patches and updates as soon as practicable, once they become available. Until you update your operating system to mitigate these hardware vulnerabilities, your sensitive data will definitely be at risk.
For more information, please contact Jan Pfeffer, Senior Associate in our Prague office, at .