Do you know where your data are? If you spend any time out on the road, the chances are at least some of your data are out there with you, on laptops and PDAs.

Financial advisors increasingly use mobile devices to keep customer details with them in the field and to make their presentations more effective. But taking the office with you carries the risk of leaving it behind somewhere and losing your clients’ personal data. Even popping into the washroom in a restaurant while leaving your laptop sitting on the table can lead to disaster.

“Clients’ personal information is being taken out of the office,” says Carmi Levi, who worked in information technology in the financial services sector before becoming a senior analyst at London, Ont.-based Info-Tech Research Group. “This can include information on their profession, investment history and investing style, along with details of discussions with them.”

The Personal Information Protection and Electronic Doc-uments Act already requires organizations to implement safeguards to protect personal information from data loss or theft. There is not yet an official requirement to notify the public of any such security breaches, but the Canadian Internet Policy and Public Interest Clinic believes the requirement may already be implicit. Privacy commissioners in British Columbia and Ontario have published a document entitled Breach Notification Assessment Tool, although its use is voluntary.

“It does seem to be the practice that you must inform people of breaches in order to be compliant with what they like to call best practices in privacy and data security,” says Don Johnston, president of the Canadian IT Law Association.

Simply saying that you’ll take extra care of your laptop or PDA when on the road may not be enough. One option is not to keep your data on the mobile device at all, but simply to access it using a broadband or wireless link from a PC at the office.

Doing this requires end-to-end data encryption, says Craig Read, director of Toronto-based m-tronix, which delivers wireless customer relationship management applications, and of the Toronto Wireless User Group. Virtual private networks that encrypt Internet traffic are ideal. Proper access policies also help. “That involves passwords, checking the access rights and checking the user’s role,” he says.

Richard Stone, vice president of marketing at Addison, Tex.-based Credant Technologies Inc. , isn’t convinced about central wireless access. He says there are many scenarios in which it is inadequate. “One example is where an advisor wants to access figures while on a plane,” he points out. In this case, the data have to be stored locally.

But storing data locally, protected with just a Windows log-
in password, is a recipe for disaster. Any half-competent data thief would be able to scour the disc for data — without logging into the laptop — using readily available disc-scanning tools.

Companies such as Credant and Lisle, Ill.-based Pointsec Mobile Technologies, encrypt data on mobile devices so that, even if the devices are lost or stolen, information will look like gibberish unless the necessary password is entered. Such systems can be accompanied with a second form of authentication, such as a smart card, to make it even harder to break into.

PC storage ports are also vulnerable. Using high-capacity, low-cost thumb drives, data thieves can copy vital data from a PC left alone for just a few minutes simply by plugging a device into the USB port. But software now can render those ports inaccessible. Companies such as PC Guardian Anti-Theft Products Inc. take things a step further, providing physical locks that can be put into USB ports to stop intruders from inserting their devices.

Encryption and USB port-blocking software can be centrally controlled by a larger IT department or used by a smaller group. Because laptop computers running Windows have relatively uniform specifications, it becomes easier to control centrally the encryption and password provision process independently of the end-user.

The same cannot be said for data encryption on personal digital assistants and smartphones, many of which now have high-capacity memory cards that hold gigabytes of information. These “small footprint” devices are considered a type of electronic jewellery by many and usually are not owned or controlled by the company. “One survey that we did in 2005 found that 85% of respondents owned their own smartphone,” says Michael Murphy, vice president and general manager of Symantec Canada. Moreover, 66% of people stored confidential business or client data on their smartphone. “So, who is responsible for owning that information?” he asks.

@page_break@“These issues mean a whole set of IT infrastructure challenges that most organizations have to get over before they start providing a managed service,” says Bob Eiger, vice president of product management and global marketing at Pointsec.

Effective policies can go a long way toward solving these problems, says Joe Greene, vice president for IT security research at IDC Canada. “You must ensure that the people who have these devices are trained and educated, in terms of what the risks are and the things that they can do to ensure their devices are not stolen.”

When Levi worked in finance IT, he published guidelines, including: never have your notebook computer behind you in a restaurant; and wrap the strap of your bag around your leg if your device is inside it. Amusing as that last item sounds, being able to show proof of best-practice guidelines and data encryption could save a lot of embarrassment and money. IE