Mobile Device Cybersecurity: SEC Offers New Guidance featured image

Mobile Device Cybersecurity: SEC Offers New Guidance

by John DiGiacomo

Partner

Data Breach

 

The Securities and Exchange Commission (“SEC”) has just issued a new comprehensive guidance on the methods that businesses and not-for-profit organizations should be using to guard against hacking, ransomware and other malicious and criminal attempts to exfiltrate company data and consumer information. See here. If your data and your computer systems are vulnerable, your business is at risk for huge financial and reputational liabilities. Cybercriminality continues unabated. Just last month, Clearview AI, a company that provides facial recognition software to law enforcement and private businesses, recently experienced its first major data breach. The company is already facing financial losses and governmental scrutiny.

Data breaches have been expensive for companies over the last couple of decades. Now, however, breaches are potentially even more expensive since many jurisdictions have enacted laws allowing for consumer private rights of action and for statutory penalties if personally identifiable consumer data is lost. Thus, the SEC’s newly issued recommended risk management practices are a timely reminder of the many-layered approach that is essential to guard information and data from cybercriminals.

One of the more interesting sections of SEC’s guidance is the one concerning mobile device security. Increasingly, mobile devices have become a weak link in data and information security. This is true for several reasons. First, mobile devices sit at the intersection of both internal and external threats to your data. Data breaches and exfiltrations often occur from within. Imagine a disgruntled employee intentionally placing data on a flash drive or imagine an overworked forgetful mid-level manager who loads or maintains a good volume of sensitive data on a laptop computer because it is “convenient.” A real-world  example occurred a couple of years ago at a UK supermarket chain. A rouge IT employee intentionally leaked personal and financial data on 100,000 employees and the chain was held responsible for the data loss. See news report from the Guardian here.

Second, mobile devices tend to be much less cyber protected than desktops and servers. This is partly because non-IT employees are using the mobile devices and are not experts at maintaining security protocols. Further, employees resist turning over their mobile devices for routine security maintenance. Various excuses included “I need it to finish my project tonight” and “I like it the way it is” and “My stuff is on there.” As such, mobile devices are vastly more vulnerable to external over-the-net hacking. Third, being small and portable, mobile devices can be physically removed. Once in the physical possession of a cybercriminal, time and leisure can be taken to extract the data.

Finally, mobile devices can be an enormous data security risk because many companies encourage bring-your-own-devices practices. Needless to say, employees and vendors strenuously resist efforts to impose IT security protocols on their own personal devices. Businesses encourage bring-your-own-devices practices for many reasons including cost-savings and popularity with workers. As the SEC guidance makes clear, such practices may be short-sighted. That being said, it is clear that mobile devices are now a fixture of the modern workplace.

Recommendations for Mobile Device Cybersecurity

Many of the SEC recommendations for mobile device security are the same as for non-mobile systems. Thus, there must be an organizational commitment to data security, written policies must be written and implemented for device security, tracking and inventory of devices must be done and users must receive thorough and effective training on general cybersecurity practices. However, security protocols must also address some of the unique vulnerabilities of mobile devices like those discussed above. Among the mobile-device-specific protocols are these:

  • Training and implementation of physical security measures — for example, mobile devices should never be left unattended in the interior of a vehicle; they should be locked in the trunk or removed
  • Procedures to be followed — quickly and immediately — if the device is lost or stolen
  • Training with respect to data security including encryption protocols, device locking mechanisms and passcode creation and mandatory periodic re-creation practices
  • Training on what data is appropriate to store on the device
  • Training on what should NOT be stored on the device and proper protocols for deleting data
  • Consents and agreements from vendors and employees for remote access to mobile devices for any and all purposes whether company-owned or personally-owned
  • Installation of company-approved security applications and software which can be updated remotely by IT staff
  • Prohibitions on installing non-approved security features and disabling company-installed security systems — you do not want your vendors and employees or the cybercriminals locking out your IT staff
  • Ability to remotely wipe the device if and when necessary — this is essential if the device is lost/stolen but also for when employees separate from the company
  • Installation of device gps/tracking features
  • Installation of filters or blocks that prevent printing, copying, pasting, or saving information from the mobile device to other devices

If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

FTC Adopts Final “Click to Cancel Rule”

FTC Adopts Final “Click to Cancel Rule”

Internet Law

The Federal Trade Commission (FTC) has issued final amendments to its trade regulation rule concerning negative option plans, also known as the “click to cancel rule.” This rule aims to address widespread deceptive practices that prohibit customers from cancelling services in the same manner in which they signed up. Here’s a detailed summary of the […]

Read more about FTC Adopts Final “Click to Cancel Rule”

Understanding Product Liability Law for Ecommerce Merchants

Understanding Product Liability Law for Ecommerce Merchants

Internet Law

Introduction Being an ecommerce merchant is hard; you have to keep an eye on your advertising spend, control your inventory, and make sure your customers are happy. Additionally, you also have to navigate a complex landscape of legal responsibilities. One of these areas, which is often overlooked, is product liability. Product liability law holds manufacturers, […]

Read more about Understanding Product Liability Law for Ecommerce Merchants

Understanding the Role of Internet Privacy Attorneys: Key Issues They Handle

Understanding the Role of Internet Privacy Attorneys: Key Issues They Handle

Internet Law

Introduction In our increasingly digital world, the significance of internet privacy is paramount. Internet privacy attorneys are essential in safeguarding the rights of individuals and organizations against various privacy-related challenges. This blog post delves into the key issues these attorneys address. Data Breaches and Cybersecurity Data breaches occur when sensitive information is accessed or disclosed […]

Read more about Understanding the Role of Internet Privacy Attorneys: Key Issues They Handle

Put Revision Legal on your side