The ICT security industry has seen more changes in the past four years than the last twenty years computers have been with us. These changes have mainly been a result of the advancement in portable devices, especially smartphones. These smartphones are basically microcomputers with processing power capabilities that were resident in PCs of a decade ago. Popular smartphones have Android, Symbian, Windows Mobile, Apple and Blackberry operating systems.
Many companies issue smartphones, and other portable devices, to employees for business. It is often taken for granted that company ICT security policies also apply to these devices. This is often not the case because many companies are yet to resolve the question of who is responsible for the loss of these devices (and the data contained therein).
Best practice states that the data controller is the person liable. This is explicitly stated in most Data Protection legislation, for example the Data Protection Act in the United Kingdom. This data controller is defined as the person (either alone or with other persons) who determines the purpose for which and the manner in which any data are to be processed.
That company issued smartphone is meant for company business and the data stored in it is there by company consent. This means that it is the company that determines the purpose and method in which the data is to be processed. It is therefore clear that senior managers are data controllers and the other persons are effectively the Board.
It can be argued that the employee would be responsible for the loss of a company issued smartphone if he/she did not implement the security policies of the organization. However the employee would only be directly responsible to the employer.
One effective way this can be done is by implementing encryption in company smartphones. Employees would then be obligated in ensuring that the encryption software is on and effectively protecting company data.
If, however, the lost smartphone contained unencrypted sensitive data that would have far-reaching consequence to the general public, then the manager and Board would land in court.
The absence of a Data Protection Act in Kenya means that apportioning liability for data loss due to portable devices getting lost is difficult. The draft Data Protection Bill, that is currently undergoing review and stakeholder consultation, should conform to the generally accepted liability principle of data protection.
Protecting data with appropriate organizational and technical measures is the responsibility of managers and the Board.