Analyst Perspective: Meeting State Data Security Requirements
By Jeff Goldman
This is the fourth in a series of in-depth interviews with industry analysts, discussing their perspectives on key issues related to BlackBerry smartphones.
Chris Hazelton is research director for mobile and wireless at The 451 Group. His research covers all aspects of mobile and wireless within the enterprise, as well as the emerging prosumer space. The 451 Group's mobile and wireless research practice focuses on mobile software and services, wireless networks (both LAN and WAN), and mobile devices.
On March 1st, 2010, a new data security law [PDF file] took effect in Massachusetts, requiring that any company with personal identifiable information on a Massachusetts resident maintain a "comprehensive information security program" to protect that data. And the Massachusetts law isn't the first -- data security regulations are already in place in several other states as well.
"California, New Jersey, Nevada and now Massachusetts all have state-level encryption laws, but of those, Massachusetts is the most rigorous," Hazelton says. "The other ones are saying that you need to protect personal identifiable information, or PII, but only Massachusetts really goes forward and says you need to do that through encryption on these devices -- not just on notebooks, but on any mobile device."
The most logical way to do so, Hazelton says, is through software as a service -- or, on a BlackBerry, through a Web app. "It looks and feels like an application, but you're really opening up a bookmark to a browser, and all that data and information you're interacting with is on a server, encrypted," he says. "You can have password access to the application, and you can have password access to the device itself, and then you have the ability to lock and wipe the device... That's a very good way of complying with these regulations."
In many ways, Hazelton says, the Massachusetts law simply standardizes what
many companies are already trying to do. "The regulators were saying,
'You have all these different companies that are chasing the some
problem but in a different way -- let's, in a vendor-agnostic way,
direct them towards industry-standard encryption and... software as a
service, so that you don't have data residing on all these thousands of
devices,'" he says.
And Hazelton says BlackBerry devices in general are a particularly good fit for the Massachusetts regulations. "With BlackBerry, you have AES-256
encryption for data over the air... and then you can encrypt the device itself and the storage on that device," he says.
The point is that the BlackBerry innately takes care of a significant portion of most security requirements. "BlackBerry with BES already does a lot of the legwork for HIPAA
and for Sarbanes-Oxley
... If you're pushing out daily reports on a public company to officers of the company, you need to make sure that those devices are locked down for Sarbanes-Oxley," Hazelton says.
And that combination of security and control, Hazelton says, is unique to BlackBerry devices. "Android doesn't do it," he says. "iPhone does it to a degree, in that Exchange allows you to do remote wipe and management, and you're able to enforce specific profiles on the iPhone -- but there's only about 14 management policies between Exchange and iPhone, versus 450 for BlackBerry."
Looking forward, Hazelton says it's reasonable to expect that other states will follow Massachusetts' lead, since many companies will already be in compliance with the regulations. "It's almost like the California automobile laws, where it's such a huge auto market that car vendors around the world have to abide by California emissions laws," he says. "This is same thing: if you're a company and you have customers all over the U.S. -- even if you're an international company and you have customers in the state of Massachusetts -- you are liable for this law. And so even though it's just Massachusetts, it's having a significant impact on the way vendors are providing services."
Regardless, Hazelton says, most BlackBerry deployments are already in good shape to meet any current and future encryption requirements. "Compared to other operating systems, in particular Android, which is gaining in popularity in the consumer space and is going to start to move into the enterprise, BlackBerry is well ahead in terms of security... to meet these state regulations around protecting customer data," he says.