Beware the iPhone?
Blogger: Eric Maiwald
There were lines around the block. People waited to catch a glimpse of one and hopefully buy one. There were news stories about it. What could have caused this much anticipation? Was it a concert for some famous rock star? Was it a championship game? Was it a chance to catch Barry Bonds’ 756 home run ball?
Nope. It was the iPhone. Of course, the iPhone is not just any new cellular phone. With its slick graphics and user interface, it is leaps and bounds ahead of anything mortal man has seen before!
Well…maybe not.
One thing is certain, the iPhone has caused some concern for large enterprises. Since many employees are purchasing iPhones and hooking them up to their computers at work, there is a fear that large amounts of sensitive information may be transferred to the devices. Of course, this is nothing new (not really anyway). Many employees have PDAs, SmartPhones, or even USB memory sticks and use them to store sensitive information. Maybe it is just the fact that the hype around the iPhone has made it more visible than the other devices and that has gotten the attention of the enterprise.
Handheld devices like phones, PDAs, and memory sticks are so common as to be invisible while in plain sight. We all know that portable computers can hold sensitive information. The news media has seen to it that any time a portable computer is lost or stolen, the details of how many credit card or social security numbers were on it is a front page story. Of course, portable computers are assets that are tracked by enterprises. If an employee loses one, there tends to be a loss of productivity. I can just see a Dilbert cartoon coming:
Dilbert: “Hey Wally, why haven’t you responded to my emails?”
Wally: “I didn’t see them.”
Dilbert: “Why not? Don’t you check your email?”
Wally: “I lost my computer a few months ago so I haven’t been checking my email.”
Dilbert: “Three months ago? Why didn’t you call the help desk and get a new one?”
Wally: “I figured it would be easier to just wait for the hardware refresh cycle.”
So when a portable computer is lost or stolen, the enterprise hears about it. If the computer contains personal identifiable information (PII), the breach notification laws require customers to be contacted and a negative consequence occurs for the enterprise. Notice that the loss of PII may not in itself be a negative consequence to the enterprise. The cost of replacing credit cards is incurred by the banks. The cost of fraudulent purchases is incurred by the merchants. The individuals may incur costs associated with identity theft. The enterprise incurs costs because of the requirement to notify the individuals and admit the loss or theft. The banks and merchants may then sue them as is happening in the case of TJX.
Let’s go back to the handheld devices. If a PDA, phone, or memory stick is lost or stolen will the enterprise even know about it? Are these devices tracked as assets of the enterprise? Do employees report the loss or theft if the devices belong to them instead of the enterprise? In many cases, the enterprise will not know about the loss or theft and will likely not have any idea what information is on the device.
Does the enterprise want to know? That is not an easy question to answer. I’m sure that the enterprise wants to know if an event will impact the business. So a memory stick that includes secret designs, patent applications, or other trade secrets would interest the enterprise. Perhaps there are things that could be done after the fact to control or limit the negative consequences.
What if the information is PII? The negative consequences are going to occur to some other entity (banks, merchants, or the individuals). The negative consequences occur to the enterprise only if it knows that the information was lost when unencrypted. If the enterprise doesn’t track the devices and never learns that the device was lost or that it contained PII, then the enterprise can’t be expected to report it to the media or the individuals. If the PII is used to commit fraud or identity theft, will it be possible to follow the trail back to the lost device? Probably not.
So should enterprises track the use of handheld devices and memory sticks? Should the enterprise try to control them? Ethically, I think the answer is yes. Enterprises have a responsibility to protect sensitive information in their possession. However, from a risk management stand point, the decision may sometimes go the other way.
Comments