ICO issues guidance on DPA compliance and BYOD

The survey shows that while 47% of all UK adults use their personal smartphone, tablet or laptop for work purposes, less then 3 in 10 are given guidance on how to do so securely. “The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely,” commented Simon Rice, group manager (technology) at the ICO. “While these changes offer significant benefits to organizations, employers must have adequate controls in place to make sure this information is kept secure.”

The simple fact is that companies have been allowing BYOD while there is no clear or standard approach to securing it. “IT has been staring down the barrel of mobility, and all the security issues it entails for the last couple of years,” explains John Livingston, chairman and CEO at Absolute Software. “It’s seriously worrying to find so many companies taking no action to properly secure and manage their mobile devices.” Apart from the risk of lost commercial information, the risk of lost personal data – which is what particularly concerns the ICO – could lead to serious loss of reputation and increasingly heavy fines; “particularly,” adds Livingston, “as EU legislators look at re-writing the rule books when it comes to data regulation.”

“Essentially,” explains Dr Guy Bunker, SVP of products at Clearswift, “people use their own devices to suit their needs and ultimately to be more productive, which is commendable. Many organizations have policies in place regarding use of laptops, but the proliferation of smart devices at work means that another level of protection must be added as once that device holds company data, it needs to be covered by the company’s security policy.”

The new ICO publication, Bring your own device (BYOD), seeks to provide detailed advice on how to operate a secure BYOD policy and remain compliant with the Data Protection Act. It combines advice on user and device policy. Users, for example, must clearly understand what data can and what data cannot be transferred to mobile devices. Most of the controls, however, refer to the devices themselves, and include the use of strong passwords, encryption, device locking and or data wiping on multiple incorrect access attempts, and remote wiping in the event of loss or theft. 

While the advice does not go so far as to prevent the use of cloud synchronization services (such as Dropbox and Box) used as a file transfer method, it does advise severe caution: “Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all.” [ICO’s emphasis.] “Do not forget that transferring data using public cloud services such as SaaS storage, email or social networks can also leave the data at risk of interception by the cloud service provider or a foreign law enforcement authority, if that public cloud service provider is based overseas.”

“It is crucial,” concludes the advice, “that as data controller you ensure that all processing for personal data which is under your control remains in compliance with the DPA. Particularly in the event of a security breach, you must be able to demonstrate that you have secured, controlled or deleted all personal data on a particular device.”

“Any organization that does not take BYOD seriously is simply setting itself up for a data breach,” adds Dr Bunker, “which will ultimately be more costly to the organization (in terms of revenue and reputation) than dedicating some time to updating and enforcing its security policy.”

What’s Hot on Infosecurity Magazine?