GDPR also covers "security by design" in hardware and software, warns Dr Kuan Hon

Data controllers obliged to consider "data protection by design and by default" under GDPR - which will also cover firmware

Organisations using insecure hardware could face action under the EU General Data Protection Regulation (GDPR) should the firmware of such devices prove insecure and contribute to a spillage of personal data.

According to Dr Kuan Hon, a director in the Privacy, Security and Information group at law firm Fieldfisher, GDPR obligations almost certainly extend to hardware choices, and maintaining up-to-date firmware in a secure state.

"One point that I think doesn't get as much attention as it should is that the GDPR obligation on data controllers regarding ‘data protection by design and by default' should include ‘security by design and by default', and I believe that this must include choosing and maintaining secure firmware (and software) for devices used to process personal data," said Hon.

She continued: "In other words, not checking hardware is secure before procuring it, not configuring it securely (for example, not changing bad default passwords) and not expeditiously patching vulnerabilities in firmware (and other software) used to process personal data.

"All these could well breach the ‘data protection by design and by default' obligation on controllers - as well as the security obligation on both controllers and, where relevant, data processors (service providers engaged by data controllers to process personal data, such as cloud providers or payroll service providers - who must also keep personal data secure).

"And that could also breach the core data protection principle of ‘integrity and confidentiality' that binds controllers (and carries a higher-tier fine under the GDPR, unlike the security/data protection by design and by default obligations), as insecure firmware could lead to a breach of integrity, confidentiality - or both."

Hence, for example, organisations installing CCTV systems running old and insecure versions of Linux on their digital video recorders (DVR), connected to the internet, could face fines under GDPR if that is used as an entry point by cyber attackers, under the obligations on data protection by design and by default as well as security and integrity/confidentiality.

Hon was speaking to Computing following a joint public statement from the Department for Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) on the need to improve firmware security.

That statement builds on a meeting between DCMS and NCSC, and the technology industry in July. "All those present highlighted the value of existing industry collaboration in providing stable updates to firmware across a wide range of devices, and under significant time pressure," according to the statement.

Industry collaborators included Apple, ARM, Microsoft, Intel, Qualcomm and Samsung.

IT security failings are, increasingly, costing CIOs and CEOs their jobs. With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'.

At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security. For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.