Security: your PDA could land your boss in court.

This article explores liability under the Data Protection Act in relation to mobile devices - particularly where company data is being used on private devices. This is no longer just a security issue - it is a legal issue with a potential criminal conviction at stake. The biggest problem is the PDA (Personal Digital Assistant) A handheld computer for managing contacts, appointments and tasks. It typically includes a name and address database, calendar, to-do list and note taker, which are the functions in a personal information manager (see PIM). . Sometimes these devices belong to the company, sometimes to the employee. But they are personal digital assistants - and whoever owns them, are used in a personal manner. Consequently they frequently fall outside of the corporate security policy, because they are not treated as company property. If staff aren't told where they can drive their company car, why should they be told how to use a few hundred pounds worth of PDA?

PDAs are serious computers

But PDAs are no longer simple electronic aide memoires - they are small computers of increasing power and sophistication so·phis·ti·cate
v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates

v.tr.
1. To cause to become less natural, especially to make less naive and more worldly.

2. . The current crop of Palm Pilots has a memory capacity of 8 MB and can store 10,000 addresses, 400 e-mails, and 3,000 documents with notes. They are carrying more and more corporate data, more and more personal data - and are more and more a popular target for theft. The only solution to all of these `threats' is encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. . Encryption is clearly the way to protect communications. It won't stop eavesdroppers (whether government - sponsored Echelon, profit-driven industrial spies spies
n.
Plural of spy.

v.
Third person singular present tense of spy. , or good old hackers) from intercepting your messages - but it will stop them gaining anything useful from them. But encrypting communications is no longer enough you also need to encrypt See encryption. the data stored on the PDA to keep on the right side of the law. PDAs are easily stolen and lost as was recently illustrated by Taxi Newspaper and Pointsec Mobile Technologies in a survey which found that a staggering 2,900 laptops, 1,300 PDA's and over 62,000 mobile phones had been left in London's licensed taxi cabs in the past 6 months. And unless the data on these devices is encrypted en·crypt
tr.v. en·crypt·ed, en·crypt·ing, en·crypts
1. To put into code or cipher.

2. Computer Science , it could not only prove very costly but also result in a criminal conviction. What is happening to laptops today will happen to PDAs tomorrow. The number of high profile laptop thefts Laptop theft is a serious threat to users of mobile computers. Many methods to protect the data and to prevent theft have been developed, including alarms, laptop locks , and visual deterrents such as stickers or labels. is frightening, and growing. In the USA, a computer insurer has estimated that 5% of all laptops are stolen within their first 12 months of service. Last year the Daily Mirror reported that at least 37 UK government laptops had been lost or stolen since 1997. We have to wonder just how many unreported thefts actually occur.

However, while it is clearly advisable ad·vis·a·ble
adj.
Worthy of being recommended or suggested; prudent.

ad·visa·bil to encrypt the data stored on your Palm, it may, within the European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the

European Community , in fact be a legal requirement. Palm Pilots are frequently used to store company contact information. This is likely to include a home address, mobile phone number and even home phone number. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke"
put differently it is likely to include personal information that needs to be registered under the Data Protection Act 1998, and is liable to the strictures of the Act.

The seventh principle of this Act is unequivocal: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." First of all it is worth considering who is liable under this Act. The Act states that conformance con·for·mance
n.
Conformity.

Noun 1. conformance - correspondence in form or appearance
conformity

agreement, correspondence - compatibility of observations; "there was no agreement between theory and to the Data Protection Act is the responsibility of the Data Controller. And it says that ... data controller' means ... a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed."

Senior managers are personally liable

In other words, this `person or persons' is effectively the Board and the immediate data processing data processing or information processing, operations (e.g., handling, merging, sorting, and computing) performed upon data in accordance with strictly defined procedures, such as recording and summarizing the financial transactions of a managers. One thing it isn't is the person who `owns' the computer/PDA. You could say that if the data is on the PDA by company assent An intentional approval of known facts that are offered by another for acceptance; agreement; consent.

Express assent is manifest confirmation of a position for approval. , then it is the company that is determining the purposes for and manner in which it is to be processed - and it is therefore the company that is liable. Therefore, if your PDA gets into the wrong hands it could land your boss in court. But if the data is on the PDA without company assent, then the company has already broken the Data Protection Act by failing to protect "against accidental loss or destruction of, or damage to, personal data", that is, it has `broken' the seventh principle. "if it's company data being used by an employee on company business, then the company in principle controls it (through the employee's duties of fidelity, following the rulebook, etc) and must make rules (and provide systems) that protect it from unauthorised use or disclosure. The rules might say, for example, that if employees carry company data on their own PDAS, they must use encryption to protect it. The employee is of course responsible for implementing the rules, but is probably responsible to the employer rather than directly to the Commissioner," explains Nicholas Bohm, a consultant to the E-Commerce Group of City law firm Fox Williams. In other words, the company is still liable!

Quite simply, there is no way round this - if employees use PDAs that include contact information, the company is liable to the conditions of the Data Protection Act. And, once again, it is worth considering the wording of the Act itself: "Where an offence OFFENCE, crimes. The doing that which a penal law forbids to be done, or omitting to do what it commands; in this sense it is nearly synonymous with crime. (q.v.) In a more confined sense, it may be considered as having the same meaning with misdemeanor, (q.v. under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance The furtive consent of one person to cooperate with another in the commission of an unlawful act or crime—such as an employer's agreement not to withhold taxes from the salary of an employee who wants to evade federal Income Tax. of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished pun·ish
v. pun·ished, pun·ish·ing, pun·ish·es

v.tr.
1. To subject to a penalty for an offense, sin, or fault.

2. To inflict a penalty for (an offense).

3. accordingly." That means you Mr Company Director!

Now, what actually constitutes appropriate technical and organisational measures is something that ultimately can only be defined by the Courts - but it would be best not to let it get that far. It seems fairly clear that organisational measures' could be covered by a formal written and enforced security policy designed to protect the PDA and its data. But appropriate `technical' measures is more difficult. If we were talking about the corporate mainframe, then we would obviously be thinking about a firewall. Vendors are known to be working on chip-based firewalls that can be built into PDAs - but we're not there yet. So for the Palm Pilot and other PDAs we need something else - and all we've really got is encryption.

Be safe - encrypt!

Encrypted data is safe data. Confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job"
steer, tip, wind, hint, lead is hidden from industrial spies and hackers alike. This is an advisable although not compulsory course of action. However, if the PDA contains contact information, then you must seriously consider its liability under the Data Protection Act. In this case, encryption is almost compulsory.

Strong wireless security devices are being used by companies more frequently than ever before with products such as Pointsec for Palm OS which combines access control with encryption for mobile devices. It now means organisations can have one security system which protects a range of handheld computers A computing device that can be easily held in one hand while the other hand is used to operate it. The Palm devices are a popular example. See Palm, smartphone and palmtop. , laptops and PC's from unauthorised users as well as keeping companies compliant with EU and UK legislation. Thus putting an end to embarrassing and potentially damaging leaks of information from wireless and potentially landing the company on the wrong side of the law The Hardy Boys witness an armed robbery in progress, and go undercover to solve the mysterious event. .

Are you businessmen breaking the law? It is generally accepted that the majority of people and companies have never bothered to register with the Data Protection Registrar, even when it is very clear that they should.

It is not so well known, however, how many people and companies contravene con·tra·vene
tr.v. con·tra·vened, con·tra·ven·ing, con·tra·venes
1. To act or be counter to; violate: contravene a direct order.

2. the Data Protection Act through their use (or abuse) of personal data stored on their computers.

The two most important let-offs are that processing of personal information may be carded out

(a.) with the permission of the individual

(b.) in performance of a contract with the individual What does this mean? Well, it implies that you can keep and process personal information on your existing clients. But you cannot (without their permission) maintain and process a database of information on prospects. If you do this, you are probably breaking the law.

But remember that even where the use of personal data is legal, you still need to obey the seventh principle - you need to keep the data secure, and that probably means you need to encrypt it. If you use a PDA to store contact information, you are probably subject to the Data Protection Act, 1998. Within the European Union, the seventh data protection principle requires you to protect personal data with appropriate organisational and technical measures. On a PDA, data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign is the best technical method to secure personal data.

Magnus Ahlberg, Pointsec Technologies Ltd

COPYRIGHT 2001 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Author:	Ahlberg, Magnus
Publication:	Database and Network Journal
Geographic Code:	1USA
Date:	Oct 1, 2001
Words:	1482
Previous Article:	NetWorker Recovery Manager 1.0 for Windows NT. (Network News and Products).(Brief Article)(Product Announcement)
Next Article:	Nimda - how it works. (VIRUS NOTES).
Topics:	Computer software industry Product information Data mining Safety and security measures Data security Data warehousing Data warehousing software Software industry Product information

Related Articles
Court decision clouds military property transfers.
Keating Ruling Stands.(U.S. Supreme Court refuses to reopen case agains Charles H. Keating Jr.)(Brief Article)(Statistical Data Included)
EEOC rules employers must cover contraceptives.
IRAN - Dec. 3 - Reformist Newspaper Director Faces Trial.(Mohsen Mirdamadi of Islamic Iran Participation Front's Norouz)(Brief Article)
U.S. hawkeye cross decks aboard french carrier.
WHAT A SUPREME DISAPPOINTMENT.(L.A. Life)
PDA survey says private & corporate secrets unprotected. (Security News).
Assigning a VP of Bull. (Small Foundry Management).(Column)
Challenging sales program.(Imparta Ltd.'s creating client value)
State files lawsuit against boys who set wildfire near Leaburg.(Fires)