You’ve most likely heard about Apple’s response to a Feb. 16 federal ruling that requires the company to essentially hack into San Bernardino terrorist Syed Rizwan Farook’s iPhone. A lesser known aspect of this case shows how the current legal battle could have been avoided. It also has implications for how your organization manages sensitive information on mobile devices.
It’s important to note that Farook’s employer, the San Bernardino County Department of Public Health, issued and owns the phone in question. The phone was set to automatically back itself up to iCloud whenever it came in range of a recognized Wi-Fi network. The last iCloud backup was taken on Oct. 19, about six weeks before the shooting.
In the hours after the attack, the Department of Public Health performed a remote password reset of the phone in an attempt to gain access to information on the phone. This had the unintended effect of preventing any future iCloud backups from taking place.
Had they not reset the password, the county could have taken the phone within range of a known Wi-Fi network to see if a backup would occur. They could then have petitioned Apple to provide information from the backup, without the need to hack into the phone itself. Apple has an established history of responding favorably to requests for information in its possession, and this would have avoided the controversy entirely.
What Does This Mean To Your Organization And The Security Of Your Information That Runs Through Mobile Devices?
Here are some questions that you should be asking:
- Do you have a policy to protect sensitive information on mobile devices? If employees are accessing email and opening attachments, then you need to assume that sensitive information is on their device.
- Do you have a clearly defined process to respond to situations where mobile devices are lost, stolen or compromised? Are you sure this process is effective?
- Are your mobile devices backing up sensitive data to cloud-based services? Do you want them to be doing this?
- Do you have a Data Retention Policy to ensure that information is retained as long as is needed, and is destroyed when it may become a liability?
- Does your Retention Policy extend to mobile devices?
At Infinize, we guide organizations in making strategic decisions that protect and manage their information. Contact us to learn more.