It’s the stuff of an IT manager’s nightmare: a government agency known by its initials sweeps in to audit the company for compliance with a set of vague regulations that may or may not clearly spell out clearly what constitutes compliance.
Increasingly, compliance audits for FINRA, FERPA, HIPAA, MIPPA, NAIC, PCI and 22 other federal standards are focusing on mobile device security. Whether it’s a public Wi-Fi connection in a restaurant or office conference room or an employee owned tablet or smartphone connecting to a corporate network, there’s one place where many compliance audits are finding a crack in the security perimeter: mobile printing.
One reason for the awareness among regulators is a rise in prosecutions and litigation related to the Computer Fraud and Abuse Act (18 USC §1030) or CFA. Publicity about the CFA makes state and federal regulators more intent on compliance related to the most highly publicized data breaches – and increasingly, such breaches include some kind of mobile device or removable storage device.
Shawn E. Tuma, an attorney recognized nationally as an expert in computer fraud and the legal issues surrounding data security, says that 90% of businesses have suffered a data loss that could be considered computer fraud under the CFA – and that’s just within the past 12 months. Tuma points out that cell phones, tablets, and printers all meet the definition of a computer for purposes of the CFA.
That’s because in 2011, in U.S. vs. Kramer, the U.S. Eighth Circuit Court of Appeals ruled that a computer could be defined as any device with storage and processing capabilities – and the Fourth Circuit Court of Appeals took things a step further specifically naming devices like watches, telephones, MP3 players, and printers so long as they are “protected” under the CFA. What does it take for a device with a processor and storage capabilities to be “protected” under the CFA? It has to be connected to the Internet or a network that is connected to the Internet.
Compliance Rules for Mobile Printing
The first rule is that there is no consistent standard for mobile printing compliance. The rules vary depending on what kind of business you work in. For instance, if your business is subject to FINRA, NAIC, FERPA or HIPAA oversight – meaning that your network process, stores, or handles banking, financial services, insurance, health care, pharmaceutical, or educational data – then the security standards for mobile devices and printers are the same as those for any other “computer”.
In a compliance audit, you may be asked to show that:
- Data stored on these devices can be remotely wiped in the event of a data breach.
- Access to data stored on these devices – temporarily or permanently – is restricted and monitored, with accessible logs.
- You have secured the data on these devices with “appropriate measures” that meet industry standards.
If that’s not completely clear to you, then you’re not alone. The truth is that the CFA and the various industry oversight regulations are very complex, and the rules for compliance continue
to change and evolve. In general, most compliance experts advise businesses to:
- Ensure that software and systems are updated regularly, including installing any recommended patches.
- Remediate identified vulnerabilities.
- Encrypt data.
- Establish data surveillance and IT alert policies
For specifics on what compliance rules apply to your industry, check on the compliance guidelines published by national trade associations.
Closing the Mobile Printing Security Gap
Breezy is the only mobile print provider that secures data on any mobile device – iPhone, iPad, Android tablet or smartphone, or BlackBerry device – with military-grade encryption before transferring the encrypted files safely via SSL to any approved printer or print network. Breezy
can be installed in minutes, and is already integrated with five of the top 6 mobile security platforms.
Add Breezy to these general tips on compliance, and you’ll be ready for any federal or state compliance audit.
- Understand your users' habits as well as their physical environment. For example, hospitals have to cope with lead-walled radiology departments, and every business runs into issues with elevators, bathrooms, 1970’s era concrete and steel buildings, and interference from amateur radio bands.
- Build future bandwidth needs into any security plan. If your company doesn’t currently use VoIP, or a unified communications system, chances are that it will soon. A dramatic increase in the number of tablets and smartphones accessing the company network via Wi-Fi is also a near certainty in many industries.
- Check references for any vendor you’re considering for a secure mobile print solution. Make sure they can support the current range of printers in your network, and aren’t tied to any specific manufacturer, and talk to the vendor's current customers and to the mobile security or MDM vendor you’re using to make sure that their integration meets other vendor’s standards.
- Consider guest use carefully. What information will you collect from guests who log on to the network? Email addresses only? How will you limit their use of the network, as well as secure protected data? Firewalls; network partitions; strong authentication; wired equivalent
privacy, or WEP; key management; and expiration can all be part of the plan.
- Plan to monitor for rogue access points. A rogue access point can be “friendly fire” – an executive bringing in a router or personal printer for convenience in his office, for example – not a hacker attempting to penetrate the network. Build a written policy for rogue access points into your plan, and make sure that the secure mobile print solution you select can manage a user’s attempts to skirt policy by adding unapproved devices.