Could Your Mobile Device Land Your CEO in Court?

The humble PC is now around 25 years old, but in many ways, the IT security industry—which has been with us for almost as long—has changed more in the last 2 1/2 years than the last 25.

Today’s portable devices, notably smartphones powered by the Windows Mobile, Symbian, Apple iPhone, and Blackberry operating systems, are microcomputers in their own right. However, their processing power and other capabilities are significantly less than those of their desktop cousins. Our best estimates, here at Credant Technologies, are that the modern smartphone in your pocket or purse has the processing power of a PC of about a decade ago—and therein lies the problem.

Encrypting data on the fly on most smartphones, especially if it’s done in the wrong way, can take a lot of processing power. This can result in long waits while the hourglass or a similar icon spins away. Many frustrated users switch off encryption. After all, what could go wrong?

As it turns out, quite a lot! This is especially true when you consider the requirements placed on most business communications these days such as industry-specific compliance regulations, the growing number of state mandated data security laws and statutes, as well as the American Recovery & Reinvestment Act (ARRA) of 2009 (Stimulus Act) that requires additional data breach notification requirements for certain types of companies.

These regulations, laws, statutes, and mandates move the issue of data protection out of the good-to-have realm and firmly into the must-have category, mainly because of the responsibilities they engender. Fortunately, all this can be done invisibly to the user and without slowing the device, if you have the right software.

Those responsibilities are compounded by the fact that many company employees often use their own portable devices for business. This means that security safeguards applied to company PDAs, smartphones, and laptops are often not applied to personal devices.

For a while now, mobile device date encryption clearly has been advisable. Now, with the mandatory legal requirements discussed earlier, it’s becoming mandatory for many businesses. This is especially true if the mobile devices are used to store company contact information, home addresses, and phone numbers.

Personal and corporate liability

Without data encryption, this sensitive information could find its way into the wrong hands. If it does, not only could the owner of that device be personally liable, that liability could extend to his or her superiors or the business owner.

In fact, if the data is on the smartphone, laptop, or other endpoint device by company assent, then it can be argued that it is the company that is determining the purposes for and manner in which it is to be processed. The company itself is liable! And if the data is on the mobile device without company assent, it can be argued that the company has failed to protect the data.

Quite simply, there is no way round this—the company is liable and must adhere to the conditions of the data breach laws, statutes, and mandates if employees use mobile devices that include sensitive corporate information.

Against this backdrop, if your portable device falls into the wrong hands, it could land your boss in court.

Taking appropriate measures to secure data

What actually constitutes appropriate technical and organizational measures is something that ultimately can only be defined by the courts. However, it would be best not to let it get that far.

It seems fairly clear that “organizational measures” could be covered by a formal written—and enforced—security policy designed to protect the mobile device and its data. But covering appropriate “technical measures” is more difficult.

For example, if we were talking about the corporate mainframe, then we would obviously be thinking about a firewall. Unfortunately, despite their best efforts, few smartphone, PDA, and laptop vendors include any sort of firewall protection. It’s up to the corporate users to encrypt their data and therefore stay safe.

Encrypted data is safe data. Confidential information is hidden from industrial spies and hackers alike. This is an advisable, although not compulsory, course of action for devices with personal information stored on them. However, if the mobile device contains sensitive customer information, then encryption is almost compulsory.

Are business people breaking the law?

The majority of people and companies may not be fully protecting their data—even when it is very clear that they should be—and this puts them at risk. If you use a portable device to store contact information, you are probably subject to some data security regulation, law, statute, or other mandates. If you ignore these, you may very well be breaking the law.

On a laptop, smartphone, PDA, or any other endpoint, data encryption is the best technical method to secure personal data.

Unsecured data can lead to personal and corporate problems
Winter 2010
TOC Weight: