Mobile Device Management in an Age of Paranoia
Smartphones don't look particularly dangerous. But in the wrong hands, they can cause serious damage to a company's finances, reputation, and even long-term survivability. And those "wrong hands" aren't always the folks on the wrong side of the law.
Increasingly, law enforcement is targeting smartphones and other mobile devices as a way to catch criminals -- with potentially disastrous implications for businesses and other organizations that rely on mobile-enabled employees.
Most recently, in a ruling last week, the California Supreme Court permits police to search cellphones and mobile devices without requiring a warrant. According to the ruling, in the event of an arrest California police have a legal right to search not just phone records, but all applications and data that reside on the device -- including corporate-owned data.
The actual case involved an individual, Gregory Diaz, accused of dealing Ecstasy in 2007. A Ventura County deputy sheriff arrested Diaz, who initially denied the transaction. But after searching the mobile phone and reviewing a text message string that appeared to indicate the sale of six Ecstasy pills, Diaz admitted to participating in the drug sale.
Diaz's lawyer attempted to invalidate the warrantless search on several grounds -- including the fact that as a device, a phone was not worn on the suspect's "person" (thus rendering it ineligible for search). But the Supreme Court ruled otherwise, arguing that a warrantless search of devices is acceptable.
This may not seem like a big deal, at least to companies that aren't in the habit of employing drug dealers. (And let's hope yours isn't!) But shift the facts just slightly and the problem becomes evident.
Let's say that instead of a drug dealer, the victim was a doctor, arrested for speeding. (Doctors never speed, right?) And let's say instead of searching a text message string, the officers looked at Protected Health Information (PHI) on the doctor's mobile device - and uncovered a list of patients under treatment for, say, AIDS.
The potential consequences to the hospital are devastating: Not only must it inform patients of a privacy breach (an effort which can, by itself, cost millions of dollars). It may also face fines and legal action for allowing the information to be revealed in the first place.
Worse, options for protection are uncertain. One solution is to require password protection and encryption of sensitive data - but it's unclear at present whether the law requires the arrested individual to enter the password. And what if the device contains automatic links to confidential websites -- in other words, the information that can be accessed resides in the cloud rather than on the device itself? Does law enforcement have the right to view such information? The law doesn't say.
The bottom line? The time to think about managing and protecting mobile devices is now. And your strategy should include appropriate encryption, authentication, and the ability to wipe devices instantly in the event of a breach -- even if that "breach" is created by law enforcement.
Johnson is president and senior founding partner at Nemertes Research, an independent technology research firm. She can be reached at firstname.lastname@example.org.
Read more about anti-malware in Network World's Anti-malware section.