The Log4j 2 exploit will have affected millions of organisations, potentially exposing customer data to hackers. As IT teams scramble to fix the patch, we ask what implications this may have for GDPR compliance?
What security issue?
A critical vulnerability has been discovered in Log4j 2, an open-source Java package used on Apache servers to enable an activity log in many popular applications. The vulnerability has been rated 10/10 for severity and there is evidence that the vulnerability has already been weaponized by hackers. Reports suggest that servers used by Apple, Tencent, Minecraft and Cloudflare have already been the target of attacks.
The vulnerability allows hackers to gain remote access and execute their own code, potentially exposing any data stored on these servers.
For example hackers may run code that transfers data to their own devices, or setup ransomware and demand payment to unencrypt or return your data.
How does this relate to data protection law such as GDPR?
Data protection laws such as GDPR insist that personal data must be kept secure. They outline your responsibility to protect data and many data protection laws also include specific procedures which must be followed in the event of a data breach (unauthorised access to personal data). We’ll look at how this applies under UK GDPR and CCPA in more detail below.
Your responsibility to keep personal data secure
The security principle of UK GDPR states that you must process personal data securely by means of “appropriate technical and organisational measures”. In practice this will require a mixture of physical and technical measures that keep the data you process secure.
In the case of a new security flaw this means taking appropriate and swift action to fix the flaw. Leaving a system open to the flaw would be breach of the security principle.
Poor security patching processes was the leading cause of the Carphone Warehouse hack in 2015 which saw the personal data of 3.3 million customers and 1,000 employees exposed. Occurring before GDPR came into force, the data breach led to a fine of £400,000.
If the same breach was to happen again today they would be at risk of up to £17.5 million or up to 4% of total global turnover whichever is higher.
There are similar requirements under CCPA. Specifically CCPA states that you must “put reasonable security practices and procedures in place” to protect personal data collected under CCPA.
In this case, applying security patches to fix vulnerabilities would likely be considered a reasonable security practice.
Data breach reporting
In the event of a data breach under UK GDPR, you must:
- Notify the individuals concerned if a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay, in other words “as soon as possible”. One of the primary reasons for informing individuals is to help them to take steps to protect themselves from the effect of a breach, for example if their password was compromised, they can now take action to update other accounts they hold.
- Notify the ICO if you believe there is a risk to people’s rights and freedoms as a result of the data breach. If you decide not to notify them, you must record your decision. This must be completed no longer than 72 hours after becoming aware of the breach.
- Make a record of the data breach that can be audited later. You must do this regardless of what other actions you take.
At the time of writing the same rules apply for EU GDPR except you will likely need to report to your own supervisory authority instead of the ICO. If you are unsure who your supervisory authority is, you can use our directory.
In the event of a data breach under CCPA, you must:
- Notify affected individuals if the data was unencrypted.
- If the data was encrypted you do not need to notify individuals unless:
- You think an unauthorised person obtained the information
- The encryption security credential or the key was (or you think that it may have been) obtained by any unauthorised person, and
- The encryption security credential or the key could make the stolen data readable or usable
- You almost must notifyCalifornia’s Attorney General’s office if the breach affects more than 500 Californian residents.
What do I need to do?
- Speak with IT and your service providers. Are you affected and if so what steps have they taken?
- Check for any indications that the data you hold may have been compromised.
- If it looks like data was compromised, start the data breach procedures.
- Assess the impact
- Communicate to the data subjects affected
- Report (if required)
- Record in your data breach log
⚠️ Try our free GDPR course. First cohort starting 24th August 2022.