Expect Privacy Leaks through Stolen Laptops, PDAs and Smartphones

A few years ago, every time we’d hear of another stolen laptop or lost mobile, it was cause for consternation. “I wonder what privacy data was on it,” or “Oh no, this possible security compromise notice will sully our reputation and no one will want to do business with us anymore”. Nowadays it turns out, it’s the device user that should probably worry the most. A full 68 percent of users in a recent InfoWatch survey reported storing private personal information on their mobile devices.

Now, private personal data may be a little loose in definition. Don’t tell my wife, but I keep reminders for our anniversary and birthdays on my handheld. And if you look hard enough, I’m sure you could find a few frequent flyer numbers and maybe my pet or Mother’s maiden name. I wouldn’t say I’d never remember if this information wasn’t on there, but there are senior moments when it’s nice to have.

I lock my phone, not because of that information on board, but I don’t want anyone using my phone. However, I don’t have a maximum password entry feature where the device erases itself on say the 10th attempt. I had a Blackberry a few years ago where a button stuck. My point with this is, I balance privacy, security, and usability. As one of these 68 percent, we’re not keeping a credit report, online banking passwords, social security card, driver’s license or passports on the devices.

There is a more troubling statistic where the same mobile users are 81 percent more likely to have their devices stolen according to the Ponemon Institute (’05 to ’06). That magnifies the problem significantly when you realize you’re nearly twice as likely to “lose” your device. I know better than to intentionally store Personally Identifiable Information (PII) like my Social Security Number, but the convenience and ultra portability of my handheld has me doing an even greater multitude of things anywhere at any time. I’m receiving faxes from my doctor through email, or reading over pdf’d real estate contracts from lawyers. This information remains on my handheld for a few days, but it’s not all on there simultaneously. My risk for loss of my phone is controlled by the amount of memory on the device and the fact that I’m not buying houses or receiving lab results daily and the information is simply overwritten.

There isn’t the same memory mitigation on laptops, where desktop replacement performance and huge hard drives allow an awful lot of storage. Things I do on the road make my laptop a perfect repository for information that accidentally lingers. How many people would think to check their Outlook temp file when cleaning their hard drive? You know, the place where all of the email attachments you open save locally so Word or Adobe may open them. I use a software product to shred that space, my recycle bin, and my slack space (Clean Disk Security). But I don’t remember to erase everything constantly, and it’s not a scheduled task. I can’t have my laptop slow to a crawl randomly during a customer presentation. Suddenly the unintentional convenience of a laptop’s mobility brings the other statistics in the same InfoWatch survey into play.

Between 12-16% of respondents had either Confidential corporate documents, Company IP or, Private client & partner data. Loss of this data affects other people, sometimes catastrophically. This is why sectoral laws like GLBA and HIPAA and self-regulations like the Payment Card Industry (PCI) and the Better Business Bureau require things like hard drive encryption, strong passwords or hardware fingerprint readers. This is also why CISOs seek professionals trained in Privacy and Security (Certified Information Privacy Professional and Certified Information Systems Security Professional respectively) to assist in threat assessments, vulnerability analysis, and risk mitigations, creating a safer overall corporate security/privacy posture.


Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>