This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Why the ICO's BYOD guidance may translate to 'bring your own data breach'

Share this article:
Why the ICO's BYOD guidance may translate to 'bring your own data breach'
Why the ICO's BYOD guidance may translate to 'bring your own data breach'

When the UK's Data Protection Act (DPA) was instigated in 1998 almost all data was generated, consumed and stored on company owned and managed equipment.

This was usually desktop PCs that had a typical lifecycle of five to seven years and used an ‘industry standard' operating system. The situation is very different in the contemporary business landscape; while data is still largely produced on PCs, it is increasingly accessed on user-owned, and often hand-held, devices such as laptops, tablets and smartphones.

This brings a range of complications to businesses, notably the increased risk of data loss through theft or misadventure, the requirement to secure a bewildering array of mobile phone operating systems, including multiple versions of those operating systems and a higher disposal/recycle frequency.

It is encouraging to see that the Information Commissioner's Office (ICO) has recently issued updated guidance notes that re-interpret the 1998 Data Protection Act to reflect how mobile technologies are changing the workplace.

One key issue addressed in the document is ‘bring your own device' (BYOD). This states the data controller (i.e. the business) must have security in place for BYOD to prevent personal data from being accidentally or deliberately compromised. This means that although corporate IT has less control over the configuration and specification of devices used by their information workers, any data breach reported to the ICO and found to originate from a device owned by an employee/contractor is still the legal responsibility of the data processor.

It is also worth noting that the Data Protection Act (DPA) is applicable to any company operating in the UK, regardless of whether it is registered in this country or overseas.

While the ICO has successfully addressed a number of core issues to bring the DPA in line with the times, it does not cover the full lifespan of users' mobile devices. Even if a business has a functioning BYOD policy to safeguard sensitive corporate and personally identifiable data while a device is in use, these efforts can be futile if that data is not systematically wiped when the handset is sent for disposal or recycling.

This issue is exacerbated by the shorter upgrade cycle for consumer mobile phone contracts, which are typically 12 to 24 months.  

At the end of last year, the ICO went some way to tackle the issue of how to deal with obsolete or surplus devices by issuing its IT Asset Disposal Guidance Notes. While this acknowledged the importance of deleting personal data, it did not specifically address one key problem facing businesses: standard data wiping techniques simply will not work for devices using solid-state drives (SSDs).

This is becoming significant given that SSDs are used in two devices that are becoming ubiquitous in the corporate world: smartphones and tablets.

Data security legislation is in its infancy and cyber crime is endemic in these markets, so any inadequately wiped mobile device ending up in the wrong hands has the potential to wreak havoc. This means data processors must use data wiping solutions that are auditable and offer a certificate of data sanitisation in order to ensure BYOD schemes will benefit, not harm, their business – even after a device has been decommissioned.

Ken Garner is business development manager at BlackBelt

Share this article:
close

Next Article in Security Cats Blog

Sign up to our newsletters

More in Security Cats Blog

The information security implications of change

The information security implications of change

Microsoft has recently warned businesses that they should be well on the way to upgrading their legacy desktop environments.

The beginning of the authentication ice age

The beginning of the authentication ice age

This week I was invited to sign the new online Petition Against Passwords which I was delighted to do and I urge you all to do the same.