Regulatory compliance: The impact of mobile devices on the enterprise

Reviewing regulations
The first step is to evaluate data security regulations and determine which are applicable to your business. When doing so, you will find that few regulations enumerate threats or measures specific to mobile devices. Instead, regulations define the types of data that must be protected, when and why, and related security processes like access monitoring and breach reporting. For example:

• U.S. financial firms that fail to comply with the Gramm Leach Bliley Act (GLBA) face fines that start at $10,000 per violation. GLBA is designed to protect the privacy of "personally identifiable financial information" (PIFI) used in commerce transactions. Banks, brokerages, CPAs and others in the financial industry are required to take steps to ensure the integrity, confidentiality and security of PIFI; prevent unauthorized access to PIFI; and mitigate reasonably foreseeable threats that could result in PIFI disclosure, misuse or destruction.

• Hospitals, medical offices, HMOs and others in the healthcare industry must comply with Healthcare Information Portability and Accountability Act (HIPAA) guidelines. For example, HIPAA Section 4 requires those companies to implement technical security mechanisms that guard against unauthorized access to "protected health information" (PHI) transmitted over a communications network, including access controls, audit controls, integrity, authentication, transmission security, and processes for security management and incident response ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchMobileComputing.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchMobileComputing.com

  As an existing member of the TechTarget network please activate your SearchMobileComputing.com account 

  By joining SearchMobileComputing.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  RELATED CONTENT Mobile Management Choosing personal mobile devices in a diverse mobile world Mobile device management strategy for diverse mobile devices Mobile device management checklist Future proofing mobile device management Managing mobile device diversity Your mobile strategy is always a moving target Mobile device management: What can it do for your organization? Mobile device governance Mobile worker strategies Mobile user management: Mobile employees and team-building Government Regulations for Cell Phones and Smartphones Ensuring mobile data protection for smartphones is critical Verizon, AT&T to operate 4G on new 700 MHz spectrum wins Mobile trends: The big stories of 2007 Mobile device compliance and workforce management Compliance in the mobile enterprise Mobile Security - Limiting the Imminent Risks Wireless LAN deployment and federal regulations What encryption standard is becoming the most widely accepted for US Government use? Wireless LANs meet needs for compliance RFID Mobile Policies and Procedures Mobile device security policies: Asserting control over mobile devices Securing corporate data on your laptops Podcast: FAQs on mobile policies Developing and instituting corporate mobile device policies Mobile security culture starts at the top Detecting rogue mobile devices on your network Mobile security policies Defining your mobile security policy Government regulations and mobile security policies Mobile security policies: Why a policy is important

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  and reporting. Failure to comply with HIPAA can result in civil or criminal penalties, starting at $50,000 in fines and one year in prison.

• Merchants and other companies that participate in payment card processing must now comply with the Payment Card Industry (PCI) Data Security Standard (DSS). This standard, created by aligning Visa and MasterCard requirements for safe handling of sensitive information, provides a framework for developing a robust account data security process. Specifically, DSS enumerates requirements that payment card industry players should meet to secure and monitor their networks, protect cardholder data, manage vulnerabilities, implement strong access controls, and maintain security policies.

• A growing number of businesses must comply with California Senate Bill 1386 (CA SB 1386), which requires notification of customers, employees or other individuals affected when a security breach occurs and a CA resident's unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Comparable breach notification bills have now been enacted in at least 35 states.

• The Sarbanes-Oxley Act (SOX) requires publicly held companies to protect financial accounting and auditing systems in order to ensure the reliability of financial statements. Section 404 mandates financial reporting internal controls so that transactions are securely authorized, recorded and reported. Section 409 requires prompt reporting and handling of unauthorized financial data disclosure. In addition to market repercussions, SOX violators may incur up to $1 million in fines and/or 20 years in prison.

Understanding the impact on mobile data
GLBA, HIPAA, PCI, SB 1386 and SOX are perhaps the best-known regulations here in the U.S. but are just a few of the hundreds of regulations that apply across the world. If your company must comply with one or more regulations, the next step is to map the associated data-security standards or guidelines onto your business processes, network and systems. Part of this task is to consider the impact of those regulations on mobile data.

For example, SOX requires that organizations have effective internal controls. When mobile devices carry financial data (email messages, spreadsheets, database records), those internal controls could involve written policies governing acceptable use of mobile devices and data encryption to prevent loss of control if a mobile device is lost or stolen.

GLBA requires that PIFI be secured at all times. When applied to a mobile workforce, this could involve use of encrypted communication to prevent disclosure of data sent over wireless WANs or LANs that lie beyond company control, as well as measures to preserve that data's integrity (e.g., avoiding transaction forgery, modification or replay).

PCI DSS requires companies to monitor their networks and use strong access controls to prevent unauthorized access to cardholder data. When merchants provide wireless access to mobile devices – handheld inventory checking or point-of-sale payment processing, for example – they must prevent that vector from being abused as a back door to reach stored data or implant trojans that could capture future payment transactions.

The bottom line
Clearly, there are many more potential impacts -- details differ depending on the regulations involved and the nature and location of your business. The most important thing to understand is that mobile devices simply cannot be overlooked when attempting to comply with data security regulations. Few (if any) companies remain untouched by mobile devices, whether owned by the employer or employee. Headlines repeatedly remind us of the potential costs, from last year's stolen VA laptop containing 26 million personnel records to this year's multi-billion-dollar wireless hack at TJX. Including mobile devices in your compliance strategy right from the start is far less expensive than dealing with the fallout from a major security breach.

About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.