The call from Ontario’s privacy commissioner for organizations to always encrypt data on any mobile device
staff use -- whether they handle personal information or not -- may not be welcome by executives.
But industry analysts say the recommendation – which comes after contract staff at Elections Ontario lost two USB memory sticks with millions of names and birth dates – is both practical and affordable.
“This can be done in relatively seamless fashion with little interference to the end user,” says Chris Sherman, a researcher at Forrester Research who specializes in data privacy.
“There’s really no reason not to do it,” agreed Philip Clarke, a research analyst who specializes in wireless mobility at Nemertes Research –unless, for example, it can’t be done on a device yet, such as a tablet.
“Regardless of what industry you’re in, you can’t be losing data. It’s a bad idea.”
In fact, Sherman said, a number of U.S. states have laws mandating that all personal information must be encrypted.
Massachusetts, for example, has a regulation (201 CMR 17.00) that flatly mandates “encryption of all personal information stored on laptops or other portable devices” used by any person that has or licences personal information about a state resident. It also mandates that personal data sent over the Internet has to be encrypted.
In April a developer paid a US$15,000 fine to settle a complaint that a staffer had unencrypted data on 600 tenants on a laptop. California, Illinois and Nevada also have privacy laws that mandate organizations to encrypt personal information on all portable devices, Sherman said.
“With the proper skills and staffing any organization can implement software controls to automatically determine where sensitive data lies and whether or not encryption is necessary and enforcing it where appropriate,” Sherman said.
“With the same software you can enforce that policy that all devices regardless of media are encrypted.
Ontario privacy commissioner Ann Kavoukian argued this week that to absolutely ensure no one ever slips up, organizations shouldn’t be allowed to decide if only some staffers need to use encryption. The technology should be used all the time on all mobile devices.
Her recommendation came following her investigation into the Elections Ontario fiasco.