Always-on encryption justified, say analysts

The call from Ontario’s privacy commissioner for organizations to always encrypt data on any mobile device staff use — whether they handle personal information or not — may not be welcome by executives.

Few Canadian public or private organizations have data encryption by default as a privacy policy. Most believe that top executives, financial, legal or designated staff need to their laptops encrypted.

But industry analysts say the recommendation – which comes after contract staff at Elections Ontario lost two USB memory sticks with millions of names and birth dates – is both practical and affordable.

“This can be done in relatively seamless fashion with little interference to the end user,” says Chris Sherman, a researcher at Forrester Research who specializes in data privacy.

“There’s really no reason not to do it,” agreed Philip Clarke, a research analyst who specializes in wireless mobility at Nemertes Research –unless, for example, it can’t be done on a device yet, such as a tablet.

“Regardless of what industry you’re in, you can’t be losing data. It’s a bad idea.”

In fact, Sherman said, a number of U.S. states have laws mandating that all personal information must be encrypted.

Massachusetts, for example, has a regulation (201 CMR 17.00) that flatly mandates “encryption of all personal information stored on laptops or other portable devices” used by any person that has or licences personal information about a state resident. It also mandates that personal data sent over the Internet has to be encrypted.

In April a developer paid a US$15,000 fine to settle a complaint that a staffer had unencrypted data on 600 tenants on a laptop.   California, Illinois and Nevada also have privacy laws that mandate organizations to encrypt personal information on all portable devices, Sherman said.

“With the proper skills and staffing any organization can implement software controls to automatically determine where sensitive data lies and whether or not encryption is necessary and enforcing it where appropriate,” Sherman said.

“With the same software you can enforce that policy that all devices regardless of media are encrypted.

Ontario privacy commissioner Ann Kavoukian argued this week that to absolutely ensure no one ever slips up, organizations shouldn’t be allowed to decide if only some staffers need to use encryption. The technology should be used all the time on all mobile devices.

Her recommendation came following her investigation into the Elections Ontario fiasco.

Ironically, the agency did have rules mandating encryption on data sticks. However, the temporary staff handling the devices weren’t trained on how to use the encryption software.

Sherman said that in the public sector, particularly in regulated industries, corporate rules mandating personal data on all portable devices be encrypted is emerging as a best practice.

There’s no shortage of vendors offering end-point encryption solutions, from desktop security verterans like Symantec Corp. and McAfee Inc. to disk drive manufacturers with hardware-based encryption such as Seagate and Western Digital. There’s even open source software called TrueCrypt.

The easiest tool to use is on many corporate desktops: Microsoft’s BitLocker, which comes on advanced versions of Windows, said Nemertes’ Clarke.

Mobile device management solutions – either on-premise or hosted – can be used for policy enforcement on laptops, tablets and smart phones, he added – anything with an operating system.

Encryption of thumb drives can be enforced through Microsoft Active Directory to alert the operating system when a USB drive is plugged into a PC.

Most companies want to encrypt personal data, Clarke added. But certain devices may cause problems. For example, two months ago a global manufacturing company told him it is hesitating about allowing staff to use Apple Inc.’s iPad because it couldn’t figure out how to encrypt data sent over its Wi-Fi network.

Why isn’t always-on encryption the standard in all organizations? Some are willing to run the risk of losing data, Clarke said. The only solution, he thinks, is government regulation.

“There will be push-back from some companies,” he predicted, in part because they’ll feel “it will be a pain to do.”

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now