Under the General Data Protection Regulations (GDPR) your technical security measures are vital to avoiding data breaches that could lead to fines and serious damage to the reputation of your business. This involves properly securing all devices, particularly mobile ones where loss or theft is a much greater risk.
Whether you supply such devices or allow your employees to use their own you need to be aware of security vulnerabilities that might compromise their security.
The technical press is reporting one such issue this week [23/10/19] that shows how the choice of devices can affect the choice of acceptable access controls.
The issue relates to Samsung S10 and Note 10 smartphones as it has been discovered that the fingerprint scanning technology they use is not reliable, particularly when using screen protectors. They are working on a software patch that is hoped to be issued shortly but in the meantime any employee using a Samsung device who accesses personal data held by your company should be advised to move to pin or pattern based security to ensure that the information cannot be accessed by others should the device be lost or stolen. This will also ensure the security of the employee’s personal data and the change should be considered by anyone using a Samsung device.
The security patch may have been issued by the time you read this article and those using Samsung devices are advised to apply any update prompted by their device immediately.
However, the variability in the reliability of fingerprint sensors means that fingerprints should be avoided as a blanket policy for access to mobile devices. While the Samsung patch may be immediately effective, as with all such updates there is no guarantee. Sony mobile telephones confirm when setting up a fingerprint lock that this may not be as secure as a pin or pattern and users have reported the ability of others to access through such a print. Apple appear to have achieved a better level of accuracy with their iPhone sensors but their planned in-screen fingerprint sensor may not provide the same effective security as all developments have potential flaws (as Samsung has found out recently!). A strong, 6 digit pin has only a one in a million chance of being correctly entered and many devices will allow for a full lock on access if the pin is incorrectly entered three times. Even if this is not possible on a particular device a delay is usually enforced.
If you have a Bring Your Own Device (‘BYOD’) policy allowing employees to access personal data held by your business on personal devices enforcing proper security on the device can be difficult. The use of Mobile Device Management (‘MDM’) software can assist with this, placing all business data in a secure electronic compartment on the phone with additional access controls and centrally managed updating and deletion of data within it. While no technical solution is fool-proof, such software is a way to improve the security of data for which you are responsible while avoiding the cost of supplying secure devices to all employees or preventing them from using devices that have arguably transformed the way we work.
Sorting out your technical security is only half the battle and it is important to document the steps you take in this area and any compromises made due to resources or the perceived low risk of your processing should be recorded. You also need to ensure that physical paper data is protected through practical policies minimising the risk of loss.
On a more positive note, recent studies have demonstrated that businesses who can demonstrate good data security with full transparency are viewed positively by consumers so taking the right steps could not only avoid fines but enhance your reputation!
This article is for information purposes only and does not amount to professional advice. If the issues raised effect you then professional legal advice should be sought.
Please contact Rosemarie Close on rclose@heringtons.com for further information.