With Great Storage Comes Great Responsibility
Portable electronic storage devices such as USB flash drives, external hard drives, cell phones, MP3 players, and other mobile devices with data storage capabilities have become very popular because of their portability and low prices. However, the use of such devices comes with risks that must be recognized and addressed to protect both the physical devices and the information they contain.
The most important thing to realize is that the increasingly high capacity of such devices allows for storage of huge amounts of data in a small footprint. Secondly, there are increasing concerns about privacy, identity theft, and the volumes of data already maintained in electronic databases on each of us.
The University is legally obligated to protect various types of data under its control which are protected by various laws and regulations such as PCI, HIPAA, FERPA, FACT, etc. All University employees need to recognize the part they play in adequately protecting sensitive data.
The most effective way to secure sensitive data is not to store it on mobile devices. Ideally, sensitive data should only be stored on authorized University servers and accessed remotely using secure communication techniques provided by authorized University IT resources. However, University business requirements may sometimes justify storing restricted data on mobile devices. In those limited cases, users must obtain permission from appropriate University management and ensure that reasonable steps are taken to keep the University’s sensitive data private and secure.
Mobile storage devices are subject to one principal risk — theft or loss — and secondly, unauthorized access or copying. It has been reported that data on electronic devices may be routinely copied at border crossings. In any case, disclosure of potentially sensitive data, including intellectual property, can lead to lasting damage to the University’s reputation as well a myriad of expenses that may include fines, legal costs, notification fees, etc.
The principal precaution, again, is not storing sensitive data on the mobile device. However, assuming that there is a valid and approved business reason for such storage, then the active protection must be the use of encryption to protect data stored on the device from unauthorized access.
Some laws and regulations allow a “safe harbor” if the data lost on a device is encrypted using a generally accepted encryption algorithm, preventing a potentially embarrassing or costly situation for you and the University. All new University laptops are required to have encryption software installed. Many USB flash and hard drives now come with encryption features for little additional cost — consider purchasing only such versions. Don’t forget, encryption implies a means of decryption. If you leave the password for decrypting the data easily accessible, the strength of the encryption algorithm is irrelevant; just like leaving the key to your home dangling by a string from your doorknob.
Encryption is essential, but it is not a substitute for common sense. Always keep track of and physically secure your mobile devices, especially when traveling. Contact your IT support group for help with encryption and other security measures for your mobile devices.
For more information
Posted: January 12, 2009