BYOD Security: Complying With Australian Privacy Principle 11.

Last week (28 April to 4 May 2013) was “Privacy Awareness Week” in the Asia Pacific region.  Australia is one of the entities that participates in PAW (the others are, in alphabetical order, Canada, Hong Kong, Korea, Macau, Mexico, New Zealand, and the USA).

As part of the awareness campaign, the Office of the Australian Information Commissioner (OAIC) released their “Guide to Information Security: ‘reasonable steps’ to protect personal information.”  There is much information, and an entire subsection is dedicated to the use of encryption.  That doesn’t come as a surprise, seeing how cryptography is a key aspect of effective IT security; it could very well end up being the only information security measure that is (indirectly) listed as a requirement in complying with the Australian Privacy Principles.

BYOD and Australian Privacy Principle 11

According to the Parliament of Australia:

Australian Privacy Principle 11 (APP 11) protects personal information by imposing specific obligations on both agencies and organisations which hold that information. The principle also provides that entities take reasonable steps to destroy or de-identify the personal information once it is no longer needed… these obligations are in line with international best practice on privacy protection.

What are these “specific obligations” that are “in line with international best practice on privacy protection”?  The answer to this question is quite complex, but when it comes to BYOD, mobile devices like smartphones and tablets, and laptop computers and their storage accessories, using encryption software to protect the data is probably up there on the do-list.

Consider the following:

  • Best practices vary from country to country, but most include a provision for data encryption, and provide safe harbor from legal and other penalties if used.
  • Encryption is used extensively for destroying or de-identifying information.  For example, remote wiping of smartphones is based on deleting the encryption key (Note: Best practices still require physical destruction of information – including shredding, grinding, melting, etc., but only when it is possible to do so. If a device is lost or missing, encryption is the last, and best, resort).
  • Encryption is at the heart of all e-commerce, including on-line banking and credit card processing.
  • Where such data is made available – such as the USA’s HIPAA (Health Insurance Portability and Accountability) “Wall of Shame” – the loss of devices accounts for more than 50% of data breaches (in the case of HIPAA, those affecting 500 or more people).

Encryption is a time-tested, bona fide solution for the many risks that accompany the use of devices that store sensitive data.  Australian law, however, will probably follow in the footsteps of established legislation around the globe and not make its use a requirement.

Instead, indirect incentives for its use, such as the extension of safe harbor for encrypted data, which was already mentioned before, or monetary fines and penalties for data breaches where encryption is not used, are much more likely (and the accepted model in other countries).

Indeed, it was revealed only one week ago that financial penalties will be assess under the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013:

Repeat and serious offenders face financial penalties of up to $340,000 for individuals or $1.7 million for organisations – a maximum penalty which was last month increased from $220,000 and $1.1 million respectively.

Small-scale offenders could be taken to court and fined up to $34,000 for individuals, and $170,000 for organisations.

Making It Easy to Install, Deploy, and Manage BYOD Encryption

Of course, there will be other ways to comply with APP 11, depending on the circumstances.  However, it wouldn’t be a reach to say that none of these other solutions offer the dynamism, robustness, facility, or peace of mind that encryption offers.

Just because encryption is a proven technology and easy to use, however, it doesn’t mean that it’s easy to set up or maintain.  An individual user must, among other things:

  • Ensure that the machine is ready for successful installation,
  • Ensure that the encryption key or keys are backed up (just in case.  Otherwise, it will prove impossible to recover the protected data if something were to go awry, like a disk becoming corrupted),
  • Ensure that there is a way to regain access to the information if one forgets one’s password,
  • Etc.

Try doing the above for more than one computer, and soon you’re running into logistical problems.  Indeed, effective encryption key management is seen as the top challenge for organizations that use encryption to secure their data.

The use of an encryption management server, if one’s available for the particular cryptographic software you’re using, resolves these issues but introduces another problem.  Namely, that you’ve got to maintain the server, which requires its own resources: employee time; additional costs for said time, underlying software, hardware, server space, etc.; and concerns about scalability and reliability.  (On a personal note, I’ve seen encryption management servers slow down once they start reaching around 2,000 users, a stark contrast to its zippy past when there were only a couple of hundred endpoints listed.)

Avoiding such problems is what makes AlertBoot Mobile Security such an effective service.  The cloud-based solution makes keeping track of encryption keys very simple, and installation can be started in minutes, not days (or weeks, or months!) from anywhere with an internet connection.  And, the 24/7 password recovery (via phone or web-based self-service) ensures that users will have a verified method for regaining access to their machines.

Of course, encryption is not the be-all, end-all: seeing how APP 11 is the eleventh privacy principle, logic dictates that there must be at least ten more of these (there are thirteen in all), and their compliance bring their own unique challenges.

However, encryption is bound to be one of the core solutions for compliance, and AlertBoot is one of the easiest and cost-effective methods to do so.  If you’d like more information, you can start by visiting us here or here, if you’re looking to become a partner.

Related Articles and Sites:

Comments (0)

Let us know what you think