Author: Daniel J. Solove
A recent study by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices and in the Cloud*, reveals a stunning need for improvement on managing the risks of mobile devices and cloud computing services. The survey involved 798 IT and IT security practitioners in a variety of organizations including finance, retail, technology, communications, education, healthcare, and public sector, among others. The results are quite startling.
The study concluded that “the greatest data protection risks to regulated data exist on mobile devices and the cloud.” 69% of respondents listed mobile devices as posing the greatest risk followed by 45% who listed cloud computing.
Some other key findings include:
* Only 16% of respondents said their organization knew how much regulated data “resides in cloud-based file sharing applications such as Dropbox, Box, and others.”
* Only 19% said their organization knew how much regulated data was on mobile devices.
* Only 32% believed their organizations to be “vigilant in protecting regulated data on mobile devices.” Nearly three quarters said that employees didn’t “understand the importance of protecting regulated data on mobile devices.”
* 43% of organizations allow “employees to move regulated data to cloud-based file sharing applications.”
* Although 59% of organizations permit employees to use their own mobile devices “to access and use regulated data,” only about a third have a bring your own device (BYOD) policy.
* In the past two years, the average organization had almost 5 data breaches involving the loss of theft of a mobile device with regulated data on it.
Wow! These findings are quite alarming, and they show that organizations are significantly underappreciating the risks of mobile and cloud.
The Risks: What are the risks? Here are a few:
1. Unsafe Security Practices. With their own mobile devices and with their own cloud service provider accounts, employees might engage in unsafe security practices. Mobile devices might not be encrypted or even password-protected. When using cloud services, employees might not have the appropriate settings or an adequately strong password. They might not understand the risks or how to mitigate them.
2. Choice of Cloud Service Provider. There are many cloud service providers, and they vary considerably in terms of their privacy and security practices. Cloud service providers may not have adequate terms of service and may not provide adequate privacy protections or security safeguards.
3. Regulatory Troubles. If an employee of a HIPAA covered entity or business associate shares protected health information (PHI) with a cloud service provider, a business associate agreement is likely needed. Employees who just put PHI in the cloud might result in their organization being found in violation of HIPAA in the event of an audit or data breach.
4. The Ease of Sharing. Sharing files is quite easy with many cloud providers – sometimes too easy. All it takes is a person to accidentally put regulated data into a shared file folder, and . . . presto, it will be instantly shared with everyone with permission to view that folder. One errant drag and drop can create a breach.
5. The Ease of Losing. If you don’t carry an umbrella on an overcast day, it surely will rain. And if you put regulated data on a mobile device without adequate protection, that device will surely be lost or stolen. Call it “Murphy’s Mobile Device Law.”
Key Steps for Improvement: What should be done?
1. Educate the Cs. The C-Suite must be educated about these risks. These are readily-preventable risks that can be mitigated without tremendous expense.
2. Develop Policies. The study indicates that there is often a lack of policies about the use of mobile devices and cloud. There should be clear written policies about these things, and employees must be trained about these policies.
3. Educate the Workforce. Everyone must be educated about the risks of mobile devices and cloud and about good data security practices. According to the Ponemon Study, “Respondents believe that most employees at one time or another circumvent or disable required security settings on their mobile devices.” Employees must know more about the risks of using unapproved cloud service providers, as well as the special risks that cloud service applications can pose.
4. Instill Some Fear. The study reveals that almost systemically at most organizations, the risks of mobile and cloud are underappreciated and often ignored. There needs to be a healthy sense of fear. Otherwise, convenience will win.
The Ponemon Study reveals that there is a long way to go before most organizations adequately address the risks of mobile and cloud. The problem runs deeper than the fact that these risks are hard to redress. The problem seems to stem from the fact that the risks are woefully underappreciated by many in organizations, from the top to the bottom. That has to change, and soon.
Originally posted on SafeGov.org.
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells.
* The Risk of Regulated Data on Mobile Devices and in the Cloud*, June 2013, sponsored by WatchDox.