It's like an irresistible force about to crash head-on into an immovable object. On one side is a growing army of mobile employees, many of whom carry sensitive information with them when they leave the office. On the other side are federal regulations protecting the confidentiality, integrity and availability of that sensitive data.
Devices such as laptops, handhelds, smartphones and thumb drives are easily lost or stolen. If that happens, and if the device carries regulated data, your organization likely will be out of compliance with regulations. For Bill Bergen, the need to prevent that problem became obvious one day in a routine meeting.
"I was in a boardroom, and there was a thumb drive in the crack of a chair," recalled Bergen, CIO and vice president of technology services at Workscape, a software and services provider focused on benefits administration and compensation planning.
"I pulled it out and said, 'OK, we just funded a project.' It turned out the thumb drive didn't have any data on it that was subject to regulation, but if you aren't on top of it every day, you lose touch with the risk."
Bergen and other experts said that while mobile technology can significantly increase productivity, it puts the compliance efforts of many organizations at risk. It's an issue that many organizations haven't dealt with head-on, they said.
Conflicting demands
The most widely discussed US federal regulations that enterprises must comply with are the Sarbanes-Oxley Act, which covers publicly traded companies; the Health Insurance Portability and Accountability Act (HIPAA), which covers organizations that handle health-related records that can be linked to specific individuals; and the Gramm-Leach-Blilely Act, which covers financial transactions. IT managers and executives have spent an increasing amount of time in recent years helping their organizations comply with these and other federal and state regulations.
During that time, many of the same IT managers have helped their companies become mobile, sending employees into the field with easy access to e-mail and key enterprise data. Most IT managers readily understand that mobility brings risk to all enterprise data, not just information covered by regulations.
"There are all kinds of data, like marketing plans and the like that you have to protect," said Bryan Palma, principal of Ponic, an information risk consulting and management service.
"If you lose a marketing plan and a competitor sees it, that's bad," Palma said. "But it's not a compliance issue."
In other words, he said, it's bad if sensitive information falls into the hands of a competitor. But noncompliance could result in long, expensive rounds of audits, system changes, and civil and criminal litigation. And because of the untethered and free-floating nature of mobile employees, it's harder to craft policies that make data secure and compliant.
"Wireless communications are borderless and are hard to control," said Richard Gibbons, a senior expert on compliance for Qumas, a provider of compliance software for financial services and life science organizations. "Organizations have been finding it difficult to craft sufficient policies."