The call from Ontario’s privacy commissioner for organizations to always encrypt data on any mobile device staff use — whether they handle personal information or not — may not be welcome by executives.
But industry analysts say the recommendation – which comes after contract staff at Elections Ontario lost two USB memory sticks with millions of names and birth dates – is both practical and affordable.
“This can be done in relatively seamless fashion with little interference to the end user,” says Chris Sherman, a researcher at Forrester Research who specializes in data privacy.
“There’s really no reason not to do it,” agreed Philip Clarke, a research analyst who specializes in wireless mobility at Nemertes Research –unless, for example, it can’t be done on a device yet, such as a tablet.
“Regardless of what industry you’re in, you can’t be losing data. It’s a bad idea.”
In fact, Sherman said, a number of U.S. states have laws mandating that all personal information must be encrypted.
Massachusetts, for example, has a regulation (201 CMR 17.00) that flatly mandates “encryption of all personal information stored on laptops or other portable devices” used by any person that has or licences personal information about a state resident. It also mandates that personal data sent over the Internet has to be encrypted.
In April a developer paid a US$15,000 fine to settle a complaint that a staffer had unencrypted data on 600 tenants on a laptop. California, Illinois and Nevada also have privacy laws that mandate organizations to encrypt personal information on all portable devices, Sherman said.
“With the proper skills and staffing any organization can implement software controls to automatically determine where sensitive data lies and whether or not encryption is necessary and enforcing it where appropriate,” Sherman said.
“With the same software you can enforce that policy that all devices regardless of media are encrypted.
Ontario privacy commissioner Ann Kavoukian argued this week that to absolutely ensure no one ever slips up, organizations shouldn’t be allowed to decide if only some staffers need to use encryption. The technology should be used all the time on all mobile devices.
Her recommendation came following her investigation into the Elections Ontario fiasco.
Ironically, the agency did have rules mandating encryption on data sticks. However, the temporary staff handling the devices weren’t trained on how to use the encryption software.
Sherman said that in the public sector, particularly in regulated industries, corporate rules mandating personal data on all portable devices be encrypted is emerging as a best practice.
There’s no shortage of vendors offering end-point encryption solutions, from desktop security verterans like Symantec Corp. and McAfee Inc. to disk drive manufacturers with hardware-based encryption such as Seagate and Western Digital. There’s even open source software called TrueCrypt.
The easiest tool to use is on many corporate desktops: Microsoft’s BitLocker, which comes on advanced versions of Windows, said Nemertes’ Clarke.
Mobile device management solutions – either on-premise or hosted – can be used for policy enforcement on laptops, tablets and smart phones, he added – anything with an operating system.
Encryption of thumb drives can be enforced through Microsoft Active Directory to alert the operating system when a USB drive is plugged into a PC.
Most companies want to encrypt personal data, Clarke added. But certain devices may cause problems. For example, two months ago a global manufacturing company told him it is hesitating about allowing staff to use Apple Inc.’s iPad because it couldn’t figure out how to encrypt data sent over its Wi-Fi network.
Why isn’t always-on encryption the standard in all organizations? Some are willing to run the risk of losing data, Clarke said. The only solution, he thinks, is government regulation.
“There will be push-back from some companies,” he predicted, in part because they’ll feel “it will be a pain to do.”