From the “I told ya so” file: Seems that lost and stolen mobile devices are in the news quite a bit lately. Since this is something I keep tabs on in, I’d be remiss if didn’t share these nuggets with you.
First up: Gadget aficionados are probably familiar with the recent flap over what would seem to be a prototype of Apple’s next-generation iPhone that the editor of gadget blog Gizmodo (pictured at left) paid to acquire.
The prototype in question was apparently left in a bar here in Silicon Valley (well, really more up the Peninsula) by an Apple employee where it was recovered by another patron and then eventually made its way into the hands of Gizmodo in exchange for $5000.
Of course, the Gizmodo guys dissected the thing to get the scoop on the next great thing from Apple. The latest development in this story is that police have raided Gizmodo editor Jason Chen’s home and seized a bunch computers and other devices (including another mobile device, Chen’s iPad) as part of an ongoing investigation into the incident. (CBS News has a good blog post and relevant links). Gizmodo’s own coverage of the whole story can be found here.
Aside from the fact that this is all just plain interesting and entertaining, why do I mention it here?
Well, your organisation’s own mobile devices (including laptops, smartphones, iPads, USB drives, etc.) are a common source of data loss. And the people that find or steal them may not be as interested in the hardware as in the confidential data that’s on them. Further, whether or not the finders/stealers have any interest in the data found on your mobile devices, if you’ve got unencrypted data on them, or they provide access to unencrypted data (such as e-mail attachments or files) that represents protected healthcare, identity or financial information, the loss of such devices may put you in a situation where you have to notify regulatory authorities about that loss.
To wit: In an address at the Infosecurity Europe conference today, David Smith, deputy commissioner of the UK’s Information Commissioner’s Office, revealed that the NHS (Britian’s National Health Service) has, to date, reported the largest number of serious data breaches. The most common source of such breaches? Stolen data or hardware, followed by lost data or hardware.
See, “InfoSec: NHS worst culprit for data breaches” at Computerworld UK for details.
Here in the US, lost or stolen mobile devices seem to be the most common source of breaches of private heath care information (PHI). As I’ve noted previously, the US Department of Health and Human Services now publish breaches on their Web site as part of enforcement of HIPAA/HITECH. The HHS’s Web page with these disclosures is here: HHS’s Posted List of Healthcare Data Breaches.
The US HIPAA/HITECH regulations note that loss of suitably encrypted information is not something that needs to be reported/disclosed. To avoid this sort of disclosure, you need encryption for both data at rest (i.e., encrypt those laptop hard drives) as well as in motion (i.e., adopt policy-based encryption for e-mail, monitor outbound transmissions for the presence of PHI, PFI, etc. and encrypt or block as warranted).
There’s no intention here of beating up on any particular organization. I’ve been tracking statistics on data loss related to lost or stolen mobile devises and storage media for several years and these sorts of losses are anything but rare.
To recap from 2009 data:
“How Common are Data Leaks in General? Via Email? Via Lost or Stolen Devices?
- More than one third (34%) of US companies surveyed say their business was impacted by the exposure of sensitive or embarrassing information in the last 12 months. One third (33%) said they had been impacted by improper exposure or theft of customer information. 28% said they had been impacted by the improper exposure or theft of intellectual property.
- 43% of US companies investigated a suspected e-mail leak of confidential or proprietary information in the past 12 months. 34% investigated a suspected violation of privacy or data protection regulations in the past 12 months.
- More than 1 in 5 of US companies surveyed (22%) investigated the exposure of confidential, sensitive or private information via lost or stolen mobile devices in the past 12 months. 51% of respondents are highly concerned about the risk of information leakage via email sent from mobile devices.