You will have read the recent reports of security flaws in Intel, AMD and ARM processors that could be exploited by hackers. Not the sort of news to reassure any company with email marketing lists. Full details can be found here, including comments by users. The ICO website explains the situation in less technical terms here.
There are three interconnected variations of the vulnerability: Spectre, variants 1 and 2, and Meltdown, variant 3. At worst, we are told, these could lead to arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. This means that any personal data being processed is vulnerable, as are credentials and encryption keys, so stored personal data is also at risk.
Reassuringly, there have been no known hacks using these vulnerabilities but one might assume that as the details have been published many will be looking for ways in. There are patches but these have problems.
Anti-virus software may not be compatible with patches, see here. Further, it would appear that for some users the patches may give rise to a performance drop. So for many email marketing companies there might be difficult choices to make.
Should you choose not to opt for a certain patch then you leave yourself vulnerable in another way as well. The ICO, in deciding whether to prosecute, and if so, how much, if anything, to fine, will take into account your specific needs. The question is what might influence the ICO in the event of a hack.
For a start, you will need to show that you have conformed with their advice with regards Privacy by Design. You should be implementing this already. They promise that having a layered security system means your systems cannot be exploited by the front door.
Secondly, you will need a reason, and a good one, as to why you have opted not to patch. One might assume that they will look to see if you have tried the patch and found it wanting. What options did you look for?
One way to ensure you have some form of defence is to put the problem back to the ICO. Ask them what you should do in your specific circumstances.
