Ensuring mobile data protection for smartphones is critical

The tidal wave of threats against your company's IT resources -- and in particular, its data -- has never been higher. As users store company data to their smartphones and similar mobile devices, we asked Sean Glynn, head of product development with Credant Technologies, what the smartphone security dangers are and what steps businesses and their employees can take to ensure mobile data protection -- on their increasingly intelligent smartphones.

Encrypting data on the fly on most smartphones takes an awful lot of processing power, with end users getting frustrated with seeing the hour-glass busy symbol under Windows Mobile, or similar busy icons under other operating systems. But what happens if you don't encrypt the data on your mobile device? What can possibly go wrong?

Quite a lot actually, when you consider the requirements of the Data Protection Act in the UK and similar legislation in the U.S. and Europe.

The Act -- now backed up by European data directives -- moves the issue of data protection out of the good-to-have and firmly into the must-have category, mainly because of the responsibilities they engender.

Those responsibilities are compounded by the fact that many company employees often user their own mobile devices for business - and vice versa - meaning that security safeguards applied to company smartphones and laptops are often not applied to personal devices. The latest crop of Palm smartphones have a data capacity of 2 gigabytes, and they can easily store 2,000 emails and/or 3,000 medium-sized documents. And not just can - they frequently do, as more and more employees are choosing to replicate their desktop documents and emails to their smartphone, for ease of reference and replies when they are out of the office. So what is the solution for safeguarding these mobile devices?

The only solution to all of these potential threats is encryption. Encryption is clearly the way to protect communications. It won't stop eavesdroppers from intercepting your messages - but it will stop them from gaining anything useful from them.

But encrypting communications is no longer enough - you also need to encrypt the data stored on the smartphones or mobile devices to stay on the right side of the law. How bad is the potential problem with smartphones?

Mobile devices are easily stolen and lost -- as was illustrated 2008 by a global survey by Credant Technologies -- which found that taxi users were, and probably still are, leaving a flotilla of smartphones and mobile devices in the back of taxis as they dash off to their business meetings. In both New York and London it was around 66,000 mobile phones and around 6,000 other mobile devices such as PDAs and laptops.

Unless the data on these devices is/was encrypted, it could not only prove very costly but also result in a criminal conviction.

And the number of high profile laptop thefts is frightening, and growing. In the U.S., a computer insurer has estimated that 5% of all laptops are stolen within their first 12 months of service. Encryption can clearly help protect smartphones but can you explain the regulations with regard to corporate data stored on smartphones?

While it is clearly advisable to encrypt the data stored on your smartphone, it may in fact be a legal requirement under the growing number of state data security laws and statutes, as well as, the American Recovery and Reinvestment Act (ARRA) of 2009 [Stimulus Act] that now mandates additional data breach notification requirements for certain types of companies. Smartphones are frequently used to store company contact information. This is likely to include a home address, mobile phone number and even a home phone number.

In other words, it is likely to include personal information that needs to be registered - and protected - as required under the ARRA. What's the situation in regard to corporate responsibility?

First of all, it is worth considering who is liable under various acts such as ARRA.

It is arguable that, if the data is on the smartphone or similar mobile device is there by company assent, then it is the company that is determining the purposes for and manner in which it is to be processed. And it is therefore the company that is liable. So could you end up in court over your smartphone's data?

Probably not, but the bad news is that, if your smartphone falls into the wrong hands it could, however, land your boss in court.

Furthermore, if the data is on the smartphone without company agreement, then your company has probably already broken numerous different rules and regulations by failing to protect "against accidental loss or destruction of, or damage to, personal data".

Company rules might say, for example, that if employees carry company data on their own smartphones, they must use encryption to protect it. What do the legal professionals say about this?

There is no way around this - if employees use smartphones or similar mobile devices that include company contact information, the company is liable to adhere to the conditions of ARRA. Should a company director be worried?

What actually constitutes appropriate technical and organizational measures is something that ultimately can only be defined by the courts - but it would be best not to let it get that far.

It seems fairly clear that 'organizational measures' could be covered by a formally written and enforced security policy designed to protect the smarphone and its data. But covering appropriate 'technical measures' is more difficult.

If we were talking about the corporate mainframe, then we would obviously be thinking about a firewall.

As a company director, you are in the legal firing line. Is encryption really the answer?

Unfortunately, despite the best efforts of the smartphone and PDA vendors, few mobile devices include any sort of firewall protection, so it is down to users to encrypt their data and stay safe.

Encrypted data is safe data. Confidential information is hidden from industrial spies and hackers alike. This is an advisable although not compulsory course of action.

However, if the smartphone contains contact information, then you must seriously consider its liability under the Data Protection Act and ARRA. And in this case, encryption is almost compulsory.

Dig Deeper on Enterprise mobility strategy and policy