Today, many companies are affected by data security regulations that impose fines, directed remedies, and civil/criminal penalties for non-compliance. Some regulations apply to specific industry sectors (healthcare, financial, retail) while others have broad applicability (regional and national laws). Compliance is hard enough when data and users stay put, but mobile devices exacerbate the challenge by carrying regulated data into unknown, uncontrolled territory.
The first step is to evaluate data security regulations and determine which are applicable to your business. When doing so, you will find that few regulations enumerate threats or measures specific to mobile devices. Instead, regulations define the types of data that must be protected, when and why, and related security processes like access monitoring and breach reporting. For example:
U.S. financial firms that fail to comply with the Gramm Leach Bliley Act (GLBA) face fines that start at $10,000 per violation. GLBA is designed to protect the privacy of "personally identifiable financial information" (PIFI) used in commerce transactions. Banks, brokerages, CPAs and others in the financial industry are required to take steps to ensure the integrity, confidentiality and security of PIFI; prevent unauthorized access to PIFI; and mitigate reasonably foreseeable threats
- that could result in PIFI disclosure, misuse or destruction.
Hospitals, medical offices, HMOs and others in the healthcare industry must comply with Healthcare Information Portability and Accountability Act (HIPAA) guidelines. For example, HIPAA Section 4 requires those companies to implement technical security mechanisms that guard against unauthorized access to "protected health information" (PHI) transmitted over a communications network, including access controls, audit controls, integrity, authentication, transmission security, and processes for security management and incident response and reporting. Failure to comply with HIPAA can result in civil or criminal penalties, starting at $50,000 in fines and one year in prison.
Merchants and other companies that participate in payment card processing must now comply with the Payment Card Industry (PCI) Data Security Standard (DSS). This standard, created by aligning Visa and MasterCard requirements for safe handling of sensitive information, provides a framework for developing a robust account data security process. Specifically, DSS enumerates requirements that payment card industry players should meet to secure and monitor their networks, protect cardholder data, manage vulnerabilities, implement strong access controls, and maintain security policies.
A growing number of businesses must comply with California Senate Bill 1386 (CA SB 1386), which requires notification of customers, employees or other individuals affected when a security breach occurs and a CA resident's unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Comparable breach notification bills have now been enacted in at least 35 states.
- The Sarbanes-Oxley Act (SOX) requires publicly held companies to protect financial accounting and auditing systems in order to ensure the reliability of financial statements. Section 404 mandates financial reporting internal controls so that transactions are securely authorized, recorded and reported. Section 409 requires prompt reporting and handling of unauthorized financial data disclosure. In addition to market repercussions, SOX violators may incur up to $1 million in fines and/or 20 years in prison.
Understanding the impact on mobile data
GLBA, HIPAA, PCI, SB 1386 and SOX are perhaps the best-known regulations here in the U.S. but are just a few of the hundreds of regulations that apply across the world. If your company must comply with one or more regulations, the next step is to map the associated data-security standards or guidelines onto your business processes, network and systems. Part of this task is to consider the impact of those regulations on mobile data.
For example, SOX requires that organizations have effective internal controls. When mobile devices carry financial data (email messages, spreadsheets, database records), those internal controls could involve written policies governing acceptable use of mobile devices and data encryption to prevent loss of control if a mobile device is lost or stolen.
GLBA requires that PIFI be secured at all times. When applied to a mobile workforce, this could involve use of encrypted communication to prevent disclosure of data sent over wireless WANs or LANs that lie beyond company control, as well as measures to preserve that data's integrity (e.g., avoiding transaction forgery, modification or replay).
PCI DSS requires companies to monitor their networks and use strong access controls to prevent unauthorized access to cardholder data. When merchants provide wireless access to mobile devices – handheld inventory checking or point-of-sale payment processing, for example – they must prevent that vector from being abused as a back door to reach stored data or implant trojans that could capture future payment transactions.
The bottom line
Clearly, there are many more potential impacts -- details differ depending on the regulations involved and the nature and location of your business. The most important thing to understand is that mobile devices simply cannot be overlooked when attempting to comply with data security regulations. Few (if any) companies remain untouched by mobile devices, whether owned by the employer or employee. Headlines repeatedly remind us of the potential costs, from last year's stolen VA laptop containing 26 million personnel records to this year's multi-billion-dollar wireless hack at TJX. Including mobile devices in your compliance strategy right from the start is far less expensive than dealing with the fallout from a major security breach.
About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in June 2007