Laptop theft and mobile data theft (tape backups, iPhones, BlackBerries, USB drives) account for nearly half of the cases of serious corporate data breach and workplace identity theft. Your corporation's data breach protection will be significantly improved by educating your staff on the following mobile data best practices:
Before you save sensitive data to any mobile device, it is your responsibility to:
- Determine if your organization allows you to remove the data in question from the office in the first place. Are you allowed to save that database, Excel file, Word document, customer list, employee record, intellectual capital, etc. on your laptop, thumb drive or other mobile device?
- Decide if it is absolutely necessary to remove it from the more highly-controlled and secure environment of the office. In many of the major cases of reported data breach, the data stored on the mobile device did not actually need to be there in the first place.
- Verify that you have been authorized by your supervisor to place a copy on your device. When in doubt, check with your manager, supervisor or privacy officer to determine the correct course of action.
- Exhaust all other lower-risk alternatives for accessing the data. In many cases, it is possible to utilize a secure remote access connection to access the data so that it never leaves the company premises. You lower your personal liability when you access the data through centralized, highly secure methods.
As you save sensitive data to the device, it is your responsibility to:
- Minimize the number of records you transfer. If you don't need the entire contact database, take only the records that you need. In case of a breach, this minimizes exposure.
- Minimize the corresponding fields for each record transferred. If you only need names and phone numbers, don't transfer additional account information such as address, account numbers, etc.
- Consider de-identifying the data to render it anonymous. For example, if you track medical records using a Social Security Number but are transferring the data to do a high-level analysis of overall profitability, there is no need to include the SSNs in your transfer. Exclude that column from the data you take with you.
Before you leave the office, it is your responsibility to:
- Attempt to encrypt the individual data file. In addition to encrypting the data device itself, it is possible in many software programs to encrypt the individual data file, giving an added layer of protection.
- Make sure your data device has been encrypted. This will most often be the responsibility of your IT department, but it is your responsibility to verify that they have done their job.
- Protect your device with a strong password that utilizes letters, numbers, symbols and upper/lower case characters where possible?
- Protect the individual sensitive files with a separate, strong password. The programs that allow you to encrypt individual files will also allow you to assign individual passwords to the file.
Once you have left the office, it is your responsibility to:
- Utilize a secure wireless internet connection only (e.g., in airports, hotels, coffee shops, etc.). Make sure your IT department has enabled WEP wireless encryption on your wireless device.
- Run a secure firewall between your laptop and your connection to the internet.
- Email sensitive data only when absolutely necessary and even then, use an encrypted, password-protected format?
- Physically secure (lock down) the device when in transit (e.g., in your car, in the airport, in your hotel room).
When you no longer need the sensitive data on your device, it is your responsibility to:
- Remove and electronically destroy all remnants of the sensitive files on your device (e.g., digital shredding, low-level formatting and occasionally, like in the case of DVDs, CDs and tape backups, complete physical destruction). If this task falls under the responsibility of your IT department, it is your responsibility to make sure, to the best of your ability, that they do their job.
If this seems like a great deal of responsibility, that's because it is. In the information economy, our most valuable assets are the information that we collect, store and protect every day. As executives or employees of our respective organizations, it's not just profitable to protect sensitive information; it's also the right thing to do.