Summary: In 2011, we expect increased regulation that directly addresses protecting personal information on mobile devices, and the sensitive information revealed by geo-location tracking of mobile devices.
Geo-location knows where you and your device are all the time
Technology advances are increasingly enabling organizations to identify the physical location of a device, as well as the person using it.
In terms of privacy, organizations need to understand where to draw the line in using location data.
On the employee level, organizations can keep track of their workforce, comparing where their employees are at any given time versus where they are supposed to be. On the customer level, organizations can offer marketing programs that are based on immediate location.
If organizations decide to use physical location to track employees or reach out to customers with special offers, transparency is paramount.
Employees need to know what the policies are regarding geo-location and what tools they may have at their disposal to shield their privacy by choosing how much information they share on the device. Customers must have the opportunity to provide informed consent before allowing any organization to track their location.
Encryption is not all it’s cracked up to be
Traveling data means understanding and adhering to state, federal and international privacy regulations that will vary from one jurisdiction to another.
Some emphasize the encryption of personal information on mobile devices (e.g., the State of Massachusetts in the US).
But, in most cases, hard drive encryption is only useful when a mobile device is lost or stolen and it is in the “off” or “hibernation” mode. It doesn’t protect against hackers, nor does it necessarily protect information that is being backed up.
Encryption is an effective tool for protecting some data, but it is not preventing attacks and it is likely not addressing your organization’s top security risks.
Training and transparency
The benefits to organizations and employees of being able to work in different locations and in different time zones bring increased responsibility for protecting the personal information employees use for work.
Employees and organizations alike need to understand and respect the limitations and technical controls of mobile devices. When employees use personal devices for work, organizations may be able to apply technical controls (e.g., require a download of a certain load set before allowing a personal device to connect to the firm’s network) that provide visibility into various content and activities on those devices.
Where should the organization draw the line in terms of infringement on personal privacy?
Organizations need to ensure that they have specific policies regarding the use of each mobile device issued, and the extent to which personal devices used for work purposes may be monitored.
Organizations should clearly communicate to employees what information is being monitored, how it is being monitored and the consequences for not adhering to mobile device policies.
|Three ways to stay on top of mobile device security |
- Consider both the advantages and risks associated with using mobile device geo-location information for your operations.
- Assess what level of encryption (or combination of levels) is merited to protect personal information in the common work settings of your organization.
- Review your privacy policies recently in light of your organization’s use of mobile devices.
« Previous | Next »