Could your mobile device land your CEO in court?


Credant Technologies – Today's portable devices, notably smartphones powered by the Windows Mobile, Symbian, Apple and Blackberry operating systems, are microcomputers in their own right.

But their processing power capabilities are significantly behind the curve of their desktop cousins. Our best estimates here at Credant are that the modern smartphone in your pocket or purse probably has the processing power of a PC of about a decade ago.

And therein lies the problem. Encrypting data on the fly on most smartphones if done in the wrong way can take a lot of processing power, with the result that users get frustrated with it and may just switch it off or ignore it.

But what happens if you don't encrypt the data on your portable device such as your smartphone or your laptop? What can possibly go wrong?

Quite a lot, when you consider the requirements of most industry specific compliance regulations, the growing number of state data security laws and statutes, as well as, the American Recovery & Reinvestment Act (ARRA) of 2009 that now mandates additional data breach notification requirements for certain types of companies.

These regulations, laws, statutes and mandates move the issue of data protection out of the good-to-have realm and firmly into the must-have category mainly because of the responsibilities they engender.

Those responsibilities are compounded by the fact that many company employees often use their own portable devices for business - and vice versa - meaning that security safeguards applied to company PDAs, smartphones and laptops are often not applied to personal devices.

Smartphones are minicomputers

As mentioned above, the latest generation of smartphones and PDAs are as powerful as the computers of the late 1990s - and their data storage capabilities are even more powerful.

The latest crop of Palm mobile computers/smartphones, for example, have a data capacity of at least 2 gigabytes if not much more, meaning that they can easily store 2,000 emails and/or 3,000 medium-sized documents, at the very least.

And not just can - they frequently do store thousands of emails and documents for ease of reference and replies out of office.

The only solution to all of these potential threats is encryption.

Encryption is clearly the way to protect communications. It won't stop eavesdroppers (whether government-sponsored, profit-driven industrial spies, or good old hackers) from intercepting your messages - but it will stop them gaining anything useful from them.

But encrypting communications is no longer enough - you also need to encrypt the data stored on the mobiles devices, and all endpoints, to stay on the right side of the law.

And the number of high profile laptop thefts is frightening, and growing. In the US, a computer insurer has estimated that five percent of all laptops are stolen within their first 12 months of service.

On top of this, you also have to wonder just how many unreported thefts actually occur.

Executives could be personally liable

But while it is clearly advisable to encrypt the data stored on all your mobile devices, it may, for many businesses, in fact become a mandatory legal requirement especially as they are frequently used to not only store company contact information but also a home address, mobile phone number and even home phone number.

In other words, it is likely to include personal information that needs to be protected - as required under many industry specific regulations as well as the growing number of state data security laws and statutes.

For example, the new Massachusetts regulation 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth states in 17.03: "Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information."

First of all it is worth considering who is liable under this regulation. As defined, a "Person," is a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.

In other words, this 'person' could be the business owner or a company executive.

And could even include the person who stores the information on their portable device.

It is arguable that, if the data is on the smartphone, laptop or other endpoint device - and it is there by company assent - then it is the company that is determining the purposes for and manner in which it is to be processed. And it is therefore the company that is liable.

Against this backdrop, if your portable device falls into the wrong hands it could land your boss in court.

And if the data is on the mobile device without company assent then the company has failed to protect the data.

Quite simply, there is no way round this – the company is liable and must adhere to the conditions of the data breach laws, statutes and mandates if employees use mobile devices that include sensitive corporate information.

What actually constitutes appropriate technical and organizational measures is something that ultimately can only be defined by the courts - but it would be best not to let it get that far.

It seems fairly clear that 'organizational measures' could be covered by a formal written and enforced security policy designed to protect the mobile device and its data. But covering appropriate 'technical measures' is more difficult.

If we were talking about the corporate mainframe, then we would obviously be thinking about a firewall.

Unfortunately, despite the best efforts of the smartphone, PDA & laptop vendors, few include any sort of firewall protection, so it is down to users to encrypt their data and to stay safe.

Free Course: JavaScript: The Good Parts
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies