The humble PC is now around 25 years old, but, in many ways, the IT security industry, which has been with us for almost as long, has changed more in the last 2.5 years than the last 25. Today's portable devices, notably smartphones powered by the Windows Mobile, Symbian, Apple and Blackberry operating systems, are microcomputers in their own right. But their processing power capabilities are significantly behind the curve of their desktop cousins. Our best estimates here at Credant are that the modern smartphone in your pocket or purse probably has the processing power of a PC of about a decade ago.
And therein lies the problem. Encrypting data on the fly on most smartphones, if done in the wrong way, can take a lot of processing power, with the result that users get frustrated with seeing the hour-glass busy symbol under Windows Mobile, or similar busy icons under other operating systems, and may just switch it off or ignore it. But what happens if you don't encrypt the data on your portable device such as your smartphone or your laptop? What can possibly go wrong?
Quite a lot, when you consider the requirements of most industry specific compliance regulations, the growing number of state data security laws and statutes, as well as, the American Recovery & Reinvestment Act (ARRA) of 2009 (Stimulus Act) that now mandates additional data breach notification requirements for certain types of companies.
These regulations, laws, statutes and mandates move the issue of data protection out of the good-to-have realm and firmly into the must-have category mainly because of the responsibilities they engender. Luckily, this can be done with the right software that will not slow down the device and is invisible and seamless to the user.
Those responsibilities are compounded by the fact that many company employees often use their own portable devices for business, and vice versa, meaning that security safeguards applied to company PDAs, smartphones and laptops are often not applied to personal devices.
Smartphones Are Minicomputers
As mentioned above, the latest generation of smartphones and PDAs are as powerful as the computers of the late 1990s, and their data storage capabilities are even more powerful. The latest crop of Palm mobile computers and smartphones, for example, have a data capacity of at least 2 gigabytes if not much more, meaning that they can easily store 2,000 emails or 3,000 medium-sized documents, at the very least. And not just can; they frequently do store thousands of emails and documents for ease of reference and replies out of office. The only solution to all of these potential threats is encryption.
Encryption is clearly the way to protect communications. While it will not stop eavesdroppers, whether government-sponsored, profit-driven industrial spies, or good old hackers, from intercepting your messages, it will stop them gaining anything useful from them.
But encrypting communications is no longer enough. You also need to encrypt the data stored on the mobiles devices, and all endpoints, to stay on the right side of the law. And the number of high profile laptop thefts is frightening, and growing. In the US, a computer insurer has estimated that five per cent of all laptops are stolen within their first 12 months of service. On top of this, you also have to wonder just how many unreported thefts actually occur.
However, while it is clearly advisable to encrypt the data stored on all your mobile devices, it may become a mandatory legal requirement for many businesses, especially as they are frequently used to not only store company contact information but also a home address, mobile phone number and even home phone number. In other words, it is likely to include personal information that needs to be protected as required under many industry specific regulations as well as the growing number of state data security laws and statutes.
For example, the new Massachusetts regulation 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth states in 17.03, "Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information."
First of all, it is worth considering who is liable under this regulation. As defined, a "person" is a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.
Executives Could Be Personally Liable
In other words, this 'person' could be the business owner or a company executive. And, it could even include the person who stores the information on her portable device. It is arguable that, if the data is on the smartphone, laptop or other endpoint device, and it is there by company assent, then it is the company that is determining the purposes for and manner in which it is to be processed. And therefore it is the company that is liable.
|Are Business People Breaking the Law?|
It is generally accepted that the majority of people and companies may not be protecting data everywhere they should be putting some companies and people at risk even when it is very clear that they should. If you use a portable device to store contact information, you are probably subject to some data security regulation, law, statute or mandates. On a laptop, smartphone, PDA or any other endpoint, data encryption is the best technical method to secure personal data.
Against this backdrop, if your portable device falls into the wrong hands it could land your boss in court. And if the data is on the mobile device without company assent then the company has failed to protect the data.
Quite simply, there is no way round this: the company is liable and must adhere to the conditions of the data breach laws, statutes and mandates if employees use mobile devices that include sensitive corporate information. What actually constitutes appropriate technical and organizational measures is something that ultimately can only be defined by the courts, but it would be best not to let it get that far.
It seems fairly clear that 'organizational measures' could be covered by a formal written and enforced security policy designed to protect the mobile device and its data. But covering appropriate 'technical measures' is more difficult. If we were talking about the corporate mainframe, then we would obviously be thinking about a firewall. Unfortunately, despite the best efforts of the smartphone, PDA and laptop vendors, few include any sort of firewall protection, so it is down to users to encrypt their data and so stay safe.
Encrypted data is safe data. Confidential information is hidden from industrial spies and hackers alike. This is an advisable although not compulsory course of action. However, if the mobile device contains sensitive customer information, then you must seriously consider its liability. And in this case, encryption is almost compulsory.
About the Author
Sean Glynn is with Credant Technologies.