Are business people breaking the law?
Today's portable devices, notably smartphones powered by the Windows Mobile, Symbian, Apple, and Blackberry operating systems, are actually microcomputers. But they have less processing power than their desktop cousins. In fact, we estimate that the modern smartphone in your pocket or purse probably has the processing power of a PC of about a decade ago.
And therein lies the problem. Encrypting data on most smartphones can take a lot of processing power, with the result that users get frustrated with seeing hour-glass or other types of “busy” symbols. So they may just switch it off or ignore it.
The latest generation of smartphones and PDAs are as powerful as the computers of the late 1990s—but their data storage capabilities are more powerful. The latest crop of Palm mobile computers/smartphones, for example, have a data capacity of at least 2 gigabytes, if not much more, meaning that they can easily store 2,000 e-mails and/or 3,000 medium-sized documents.
It’s the Law
One has to consider the requirements of most industry specific compliance regulations, the growing number of state data security laws and statutes, as well as the American Recovery & Reinvestment Act (ARRA) of 2009 (Stimulus Act) that now mandates additional data breach notification requirements for certain types of companies.
These regulations, laws, statutes, and mandates move the issue of data protection out of the good-to-have realm and firmly into the must-have category. Those responsibilities are compounded by the fact that many company employees often use their personal portable devices for business—and vice versa—meaning that they may not use security safeguards applied to company-issued PDAs, smartphones, and laptops. Fortunately, if the proper encryption software is used, the user won’t experience any data slowdown.
Encryption Is Essential
Unfortunately, few smartphone, PDA, and laptop vendors include any sort of firewall protection, so it is up to users to encrypt their data to stay safe. Although encryption won't stop eavesdroppers (whether government-sponsored, profit-driven industrial spies, or good old hackers) from intercepting your messages, it will stop them from gaining anything useful from them.
But encrypting communications is no longer enough. You also need to encrypt the data stored on the mobile devices and all endpoints to stay on the right side of the law. While it is clearly advisable to encrypt the data stored on all your mobile devices, it may, for many businesses, become a mandatory legal requirement, especially as they are frequently used to not only store company contact information but also a home address, mobile phone number and even home phone number.
Who Is Liable?
The new Massachusetts regulation 201 CMR 17.00 states: “Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.”
It is worth considering who is liable under this regulation. As defined, a “person” is a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.
In other words, this “person” could be the business owner or a company executive. So executives could be personally liable. Liability could even include the person who stores the information on his portable device.
It is arguable that, if the data is on the smartphone, laptop or other endpoint device—and it is there by company assent, then it is the company that is determining the purposes for and manner in which it is to be processed. And it is therefore the company that is liable.
Against this backdrop, if your portable device falls into the wrong hands it could land your boss in court. And if the data is on the mobile device without company assent then the company has failed to protect the data.
Quite simply, there is no way round this: the company is liable and must adhere to the conditions of the data breach laws, statutes and mandates if employees use mobile devices that include sensitive corporate information.
What to Do
What actually constitutes appropriate technical and organizational measures is something that ultimately can only be defined by the courts, but it would be best not to let it get that far.
It seems fairly clear that “organizational measures” could be covered by a formal written and enforced security policy designed to protect the mobile device and its data, but covering appropriate “technical measures” is more difficult.
Encrypted data is safe data. Confidential information is hidden from industrial spies and hackers alike. This is an advisable, although not compulsory, course of action. However, if the mobile device contains sensitive customer information, then you must seriously consider its liability; and in this case, encryption is almost compulsory.
To sum up: on a laptop, smartphone, PDA or any other endpoint, data encryption is the best technical method to secure personal data.