Mobile device encryption a must, says Information Commissioner

By Ron Condon, U.K. Bureau Chief 14 Aug 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

In a judgment issued on August 12 against the transport company UPS Inc., the Information Commissioner's Office (ICO) spelled out for the first time the need for mobile device encryption, and suggests that all companies should heed the advice.

The office says that UPS must ensure that "appropriate data security programmes and procedures regarding removable media, including the use of encryption where appropriate, are put in place within six months."

The case related to a laptop computer belonging to a UPS employee that was stolen while he was overseas on business last October. The machine, which was password protected but not encrypted, contained the payroll data of 9,150 U.K.-based UPS employees. It included their names, addresses, dates of birth and National Insurance numbers, as well as their salary and bank details.

iPhone encryption? Expert Ken Munro explains why the iPhone's lack of encryption features has kept it from being a reliable enterprise device -- for now.

In a written statement the assistant Information Commissioner Mick Gorrill said: "Password protected laptops are not secure. I urge all organisations to restrict the amount of personal information that is taken off secure sites. I am pleased that UPS has encrypted its laptops and smartphones, and I urge other organisations to follow suit."

As part of the judgment, UPS issued a signed undertaking promising to follow the recommendations of the ICO and to take better care of personal data in the future. The ICO's powers are currently limited to issuing enforcement orders against companies. The Criminal Justice and Immigration Act, approved by Parliament in early 2008, gave the ICO the power to impose fines. The fines cannot occur, however, until the Ministry of Justice issues a tariff of penalties, which it was expected to do by the end of 2008, but has so far failed to deliver.

Rosemary Jay, who heads the technology practice at law firm Pinsent Masons, said the judgment is unusually prescriptive. "The Commissioner usually talks in terms of the ISO model and managing risks, but here he has gone quite specific on the advice he is giving. He is saying you should encrypt mobile devices wherever significant personal information is held."

She also questioned the practicality of keeping personal data to a minimum on mobile devices. "Emails on a Blackberry, for instance, will be synchronised with office systems, and they might have personal information in attachments," she said. "It is also so easy to move data around in organisations. The main database may be protected, but there will be copies or extracts made for quite legitimate purposes."

Even when companies choose to adopt mobile device encryption, they still need to do the groundwork beforehand. According to Julian Baycock, general manager of Data Encryption Systems Ltd., many encryption projects take a long time to get going because they expose a lack of proper policies and processes. "They need to think about policies, how they are going to manage the keys, and who will have access to them," he said. "It can open up a huge can of worms, and it requires some new thought processes. It also sets restrictions on the way people work."

Baycock said ICO judgments can be useful in reminding companies about the need for encryption, but that budgets are still tight. "Many companies are still just dipping their toe in the water with encryption," he said.

Alan Calder, director of IT Governance Ltd., a consultancy, said that until the ICO gets its powers to impose fines, it is "powerless." He also cast doubt on any changes happening this side of a general election.

"The ICO is supposed to be getting all these new powers. But this has been happening for the last 18 months. The current talk is that something may happen by spring, or maybe not. I wouldn't be surprised if we're still in the same position in a year's time, saying how good it would be for the ICO to impose big fines. I think being the Information Commissioner must be a terrible job."

Tags: Wireless Network Security: Setup, Issues and Threats,  Data Protection Solutions and Strategy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Wireless Network Security: Setup, Issues and Threats Configuring a Windows network infrastructure: Wired, wireless security College learns lessons in choosing the right NAC appliance GSM cell phone encryption crack may force operators to upgrade How to keep networks secure when deploying an 802.11n upgrade Researchers find thousands of flawed embedded devices Wireless network guidelines for PCI DSS compliance SMS attacks against BlackBerry certificate bug possible Remote phone lock and GPS tracking counter smartphone security risks MMS messaging spoof hack could have global ramifications Five steps to eliminate rogue wireless access Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary