Sean Glynn, Credant Technologies: Could your mobile device land your CEO in court?
August 2009 by Sean Glynn, Credant Technologies
The humble PC is now around 25 years old, but, in many ways, the IT security industry - which has been with us for almost as long - has changed more in the last 2.5 years than the last 25.
Today’s portable devices, notably smartphones powered by the Windows Mobile, Symbian, Apple and Blackberry operating systems, are microcomputers in their own right.
But their processing power capabilities are significantly behind the curve of their desktop cousins. Our best estimates here at Credant are that the modern smartphone in your pocket or purse probably has the processing power of a PC of about a decade ago.
And therein lies the problem. Encrypting data on the fly on most smartphones if done in the wrong way can take an awful lot of processing power, with the result that users get frustrated with seeing the hour-glass busy symbol under Windows Mobile, or similar busy icons under other operating systems and may just switch it off or ignore it.
But what happens if you don’t encrypt the data on your portable device such as your smartphone or your laptop? What can possibly go wrong?
Quite a lot, when you consider the requirements of the Data Protection Act.
The Act - now backed up by European data directives - moves the issue of data protection out of the good-to-have and firmly into the must-have category, mainly because of the responsibilities these directives engender – and this can be done with the right software that won’t slow the device down and is invisible and seamless to the user.
Those responsibilities are compounded by the fact that many company employees often use their own portable devices for business - and vice versa - meaning that security safeguards applied to company PDAs, smartphones and laptops are often not applied to personal devices.
Smartphones are minicomputers
As mentioned above, the latest generation of smartphones and PDAs are as powerful as the computers of the late 1990s - and their data storage capabilities are even more powerful.
The latest crop of Palm mobile computers/smartphones, for example, have a data capacity of 2 gigabytes, meaning that they can easily store 2,000 emails and/or 3,000 medium-sized documents.
And not just can - they frequently do store thousands of emails and documents for ease of reference and replies out of hours.
The only solution to all of these potential threats is encryption. Encryption is clearly the way to protect communications. It won’t stop eavesdroppers (whether government-sponsored Echelon, profit-driven industrial spies, or good old hackers) from intercepting your messages - but it will stop them gaining anything useful from them.
But encrypting communications is no longer enough - you also need to encrypt the data stored on the mobiles devices, and all endpoints to stay on the right side of the law.
And the number of high profile laptop thefts is frightening, and growing. In the US, a computer insurer has estimated that five per cent of all laptops are stolen within their first 12 months of service.
On top of this, you also have to wonder just how many unreported thefts actually occur.
However, while it is clearly advisable to encrypt the data stored on all your mobile devices, it may, within the European Union, in fact be a legal requirement especially as they are frequently used to not only store company contact information but also a home address, mobile phone number and even home phone number.
In other words it is likely to include personal information that needs to be registered - and protected - as required under the Data Protection Act.
The seventh principle of this Act is unequivocal: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
First of all it is worth considering who is liable under this Act. The Act states that conformance to the Data Protection Act is the responsibility of the Data Controller.
And it defines a ’data controller’ as being... "a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed."
Senior managers are personally liable
In other words, this ’person or persons’ is effectively the Board and the immediate data processing managers.
One thing it is not and that is the person who ’owns’ the portable device.
It is arguable that, if the data is on the smartphone, laptop or other endpoint device – and it is there by company assent, then it is the company that is determining the purposes for and manner in which it is to be processed. And it is therefore the company that is liable.
Against this backdrop, if your portable device falls into the wrong hands it could land your boss in court.
But if the data is on the mobile device without company assent, then the firm has probably already broken the Data Protection Act by failing to protect "against accidental loss or destruction of, or damage to, personal data"; that is, it has ’broken’ the seventh principle.
Company rules might say, for example, that if employees carry company data on their own mobile device, they must use encryption to protect it.
"The employee is, of course, responsible for implementing the rules, but is probably responsible to the employer rather than directly to the Commissioner," explains Nicholas Bohm, a consultant to the E-Commerce Group of City law firm Fox Williams.
In other words, the company is still liable.
Quite simply, there is no way round this – the company is liable and must adhere to the conditions of the Data Protection Act - if employees use mobile devices that include contact information.
And, once again, it is worth considering the wording of the Act itself: "Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly."
Put simply, this means you, a company director.
What actually constitutes appropriate technical and organisational measures is something that ultimately can only be defined by the courts - but it would be best not to let it get that far.
It seems fairly clear that ’organisational measures’ could be covered by a formal written and enforced security policy designed to protect the mobile device and its data. But covering appropriate ’technical measures’ is more difficult.
If we were talking about the corporate mainframe, then we would obviously be thinking about a firewall.
Unfortunately, despite the best efforts of the smartphone, PDA & laptop vendors, few include any sort of firewall protection, so it is down to users to encrypt their data and so stay safe.
Encrypted data is safe data. Confidential information is hidden from industrial spies and hackers alike. This is an advisable although not compulsory course of action.
However, if the mobile device contains contact information, then you must seriously consider its liability under the Data Protection Act. And in this case, encryption is almost compulsory.
Are business people breaking the law?
It is generally accepted that the majority of people and companies have never bothered to register with the Data Protection Registrar, even when it is very clear that they should.
It is not so well known, however, how many people and companies contravene the Data Protection Act through their use (or abuse) of personal data stored on their computers.
The two most important let-offs are that processing of personal information may be carried out:
(a) with the permission of the individual
(b) in performance of a contract with the individual
So what does this mean?
Well, it implies that you can keep and process personal information on your existing clients. But you cannot (without their permission) maintain and process a database of information on prospects.
If you do this, you are probably breaking the law.
But remember that even where the use of personal data is legal, you still need to obey the seventh principle - you need to keep the data secure, and that probably means you need to encrypt it.
If you use a portable device to store contact information, you are probably subject to the Data Protection Act.
Within the European Union, the seventh data protection principle requires you to protect personal data with appropriate organisational and technical measures.
On a laptop, smartphone, PDA or any other endpoint, data encryption is the best technical method to secure personal data.