The Information Commissioner's Office (ICO) clarified the position in a blog about the data security risks that organisations should address from the 'Meltdown' and 'Spectre' security flaws that were recently disclosed to have been found in the way many of the world's computer processors operate.
Nigel Houlden, head of technology policy at the ICO, advised organisations to "determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency" in response to the risks. He warned of the potential regulatory consequences should they fail to do so.
Houlden said: "Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously."
Data protection law expert Rachel Forbes of Pinsent Masons, the law firm behind Out-Law.com, said that the comments from Houlden make it clear that the ICO will not take kindly to businesses "burying their head in the sand and overlooking weaknesses and vulnerabilities in systems".
"Businesses should take action now to put themselves in a strong position for avoiding reportable security breaches once the GDPR comes into force," she said.
Under the GDPR, businesses face potential fines of up to 4% of their annual global turnover, or €20 million, whichever is the greatest, for the most serious breaches of the Regulation.
Currently, under the UK's Data Protection Act, the maximum penalty that the ICO can impose is a fine of up to £500,000.
Forbes explained that there may be some data breach cases that emerge after the GDPR takes effect which the ICO takes enforcement action on under the Data Protection Act.
"It is our understanding that where an actual breach occurs pre-25 May 2018 and the business either doesn’t become aware of it until after 25 May 2018 or is investigating the breach and such investigation, and subsequent notification, doesn’t end until after 25 May, any regulatory fine would be dealt with as a breach of the Data Protection Act, or indeed the Privacy and Electronic Communications Regulations, should that framework be relevant to the case," Forbes said.
"However, what the ICO has made clear in its latest comments is that hiding vulnerabilities under the carpet instead of looking to fix the issue pre-25 May, could result in a substantially greater fine, if a breach materialises post-25 May 2018," she said. "If it is clear to the ICO that measures, including patches, should have been implemented previously, businesses will not be able to argue that it should be subject to enforcement under the Data Protection Act rather than under the GDPR."