The Securities and Exchange Commission (“SEC”) has just issued a new comprehensive guidance on the methods that businesses and not-for-profit organizations should be using to guard against hacking, ransomware and other malicious and criminal attempts to exfiltrate company data and consumer information. See here. If your data and your computer systems are vulnerable, your business is at risk for huge financial and reputational liabilities. Cybercriminality continues unabated. Just last month, Clearview AI, a company that provides facial recognition software to law enforcement and private businesses, recently experienced its first major data breach. The company is already facing financial losses and governmental scrutiny.
Data breaches have been expensive for companies over the last couple of decades. Now, however, breaches are potentially even more expensive since many jurisdictions have enacted laws allowing for consumer private rights of action and for statutory penalties if personally identifiable consumer data is lost. Thus, the SEC’s newly issued recommended risk management practices are a timely reminder of the many-layered approach that is essential to guard information and data from cybercriminals.
One of the more interesting sections of SEC’s guidance is the one concerning mobile device security. Increasingly, mobile devices have become a weak link in data and information security. This is true for several reasons. First, mobile devices sit at the intersection of both internal and external threats to your data. Data breaches and exfiltrations often occur from within. Imagine a disgruntled employee intentionally placing data on a flash drive or imagine an overworked forgetful mid-level manager who loads or maintains a good volume of sensitive data on a laptop computer because it is “convenient.” A real-world example occurred a couple of years ago at a UK supermarket chain. A rouge IT employee intentionally leaked personal and financial data on 100,000 employees and the chain was held responsible for the data loss. See news report from the Guardian here.
Second, mobile devices tend to be much less cyber protected than desktops and servers. This is partly because non-IT employees are using the mobile devices and are not experts at maintaining security protocols. Further, employees resist turning over their mobile devices for routine security maintenance. Various excuses included “I need it to finish my project tonight” and “I like it the way it is” and “My stuff is on there.” As such, mobile devices are vastly more vulnerable to external over-the-net hacking. Third, being small and portable, mobile devices can be physically removed. Once in the physical possession of a cybercriminal, time and leisure can be taken to extract the data.
Finally, mobile devices can be an enormous data security risk because many companies encourage bring-your-own-devices practices. Needless to say, employees and vendors strenuously resist efforts to impose IT security protocols on their own personal devices. Businesses encourage bring-your-own-devices practices for many reasons including cost-savings and popularity with workers. As the SEC guidance makes clear, such practices may be short-sighted. That being said, it is clear that mobile devices are now a fixture of the modern workplace.
Recommendations for Mobile Device Cybersecurity
Many of the SEC recommendations for mobile device security are the same as for non-mobile systems. Thus, there must be an organizational commitment to data security, written policies must be written and implemented for device security, tracking and inventory of devices must be done and users must receive thorough and effective training on general cybersecurity practices. However, security protocols must also address some of the unique vulnerabilities of mobile devices like those discussed above. Among the mobile-device-specific protocols are these:
- Training and implementation of physical security measures — for example, mobile devices should never be left unattended in the interior of a vehicle; they should be locked in the trunk or removed
- Procedures to be followed — quickly and immediately — if the device is lost or stolen
- Training with respect to data security including encryption protocols, device locking mechanisms and passcode creation and mandatory periodic re-creation practices
- Training on what data is appropriate to store on the device
- Training on what should NOT be stored on the device and proper protocols for deleting data
- Consents and agreements from vendors and employees for remote access to mobile devices for any and all purposes whether company-owned or personally-owned
- Installation of company-approved security applications and software which can be updated remotely by IT staff
- Prohibitions on installing non-approved security features and disabling company-installed security systems — you do not want your vendors and employees or the cybercriminals locking out your IT staff
- Ability to remotely wipe the device if and when necessary — this is essential if the device is lost/stolen but also for when employees separate from the company
- Installation of device gps/tracking features
- Installation of filters or blocks that prevent printing, copying, pasting, or saving information from the mobile device to other devices
If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.