Legal implications of computer chip vulnerability

It has been announced recently that flaws have been detected in microprocessors that are the cornerstones of the hardware of the vast majority of computers.  These flaws enable hackers to steal unlimited amounts of data from the victim’s computer, leaving no evidence on it of the occurrence of the theft or the identity of the thief.  Standard antivirus software does not yet afford protection against such theft.

The names given to the flaws – Meltdown and Spectre – are clear evidence of how seriously the IT industry takes the potential for disaster arising from them.

All the microprocessor manufacturers involved are trying to roll out security patches to secure the flaws, but they are rushed and may themselves contain bugs.

The Information Commissioner’s Office, which is responsible for upholding information rights and data privacy, with the ability to impose penal sanctions for breach, strongly recommends that organisations determine which of their systems are vulnerable, and apply any available patches as a matter of urgency.

The general principle that is likely to be applied by the English courts is that users of computers with affected microprocessors were following a reasonable industry standard, had no available alternative, and no reason to suspect that the flaws existed.

Ultimate civil liability will rest with the manufacturers of the chips, but that does not stop users themselves being sued by aggrieved parties nor does it provide a guaranteed defence to a criminal prosecution.

We all now know of the flaws and must be seen to be taking steps to protect our data from their consequences:

• Find out if the manufacturer of your IT systems has issued any patches and apply them immediately.
• If you even suspect your system has been attacked, immediately call in the engineers and seek their advice.