DATA PROTECTION LAWS & MOBILE SECURITY
Pradeo’s mobile security solution suite provides tools to enforce compliance with the following data protection laws and protect your Personal Data | Financial Data | Health Data
PERSONAL DATA
General Data Protection Regulation (GDPR)
The GDPR is a personal data privacy law that applies to any organization that does business in Europe (regardless of its physical location). It sets guidelines for the collection, processing and storage of European residents’ personally identifiable information. The GDPR was enforced to protect information belonging to clients, employees, partners and prospects, including the ones that are dealt with on mobile devices and applications.
Article 5
Personal data shall be processed in a manner that ensures appropriate security, and includes protection against unauthorized processing, accidental loss, destruction or damage.
Requires protecting mobile devices and applications on which personal data are handled
Article 25
Organizations shall implement data protection by design, by deploying appropriate solutions which are specifically designed to protect data.
Requires implementing security in mobile application development cycles
Article 32
Organizations shall guarantee users’ data security commensurately to risk levels by putting in place procedures to regularly test, analyze and evaluate security practices.
Requires having visibility on personal data flows and their level of security
Article 5
Personal data shall be processed in a manner that ensures appropriate security, and includes protection against unauthorized processing, accidental loss, destruction or damage.
Requires protecting mobile devices and applications on which personal data are handled
Article 25
Organizations shall implement data protection by design, by deploying appropriate solutions which are specifically designed to protect data.
Requires implementing security in mobile application development cycles
Article 32
Organizations shall guarantee users’ data security commensurately to risk levels by putting in place procedures to regularly test, analyze and evaluate security practices.
Requires having visibility on personal data flows and their level of security
FTC Act, PIPEDA, Data Privacy Act and other country-specific regulations
Personal data privacy regulations such as the GDPR are in effect in various regions of the world, like the FTC Act (USA), PIPEDA (Canada), DPA (UK), NDB (Australia) etc. These regulations tend to converge towards the same global guidelines, by asking organizations to:
• Protect personal data manipulated by mobile devices and applications
• Implement risk mitigation practices
• Prevent data loss and breach
• Monitor data processing activities
Some of these laws provide massive fines in case of non-compliance. For example, the credit reporting agency Equifax was fined of £500,000 over its 2017 data breach by the UK Information Commissioner's Office.
• Protect personal data manipulated by mobile devices and applications
• Implement risk mitigation practices
• Prevent data loss and breach
• Monitor data processing activities
Some of these laws provide massive fines in case of non-compliance. For example, the credit reporting agency Equifax was fined of £500,000 over its 2017 data breach by the UK Information Commissioner's Office.
FINANCIAL DATA
Payment Service Directive 2 (PSD2)
The PSD2 applies to banks, payment service providers (PSP) and any other company that handles financial data. It is a European law that enforces the security of mobile banking / payment applications, mobile wallets and all the shopping apps that offer a payment functionality. It aims at harmonizing the protection of electronic payments and consumers' financial data while promoting innovation and offering better experience to users.
Two complementary mobile security principles appear among the security measures imposed by Articles 4, 7, 8 and 9 of the RTS: strong authentication and secure execution environment.
Financial service providers, including banks, must implement authentication based on a minimum of two factors and a one-time password. In order to ensure strong authentication, the confidentiality of the code and the prevention of fraudulent access are required.
The PSD2 highlights the fact that authentication is reliable only when it is ensured that the communication cannot be intercepted and that the data request sender is the user itself, and not a malware. To ensure strong authentication, the PSD2 requires to secure the execution environment by tracking the security of users' mobile endpoints.
Financial service providers, including banks, must implement authentication based on a minimum of two factors and a one-time password. In order to ensure strong authentication, the confidentiality of the code and the prevention of fraudulent access are required.
The PSD2 highlights the fact that authentication is reliable only when it is ensured that the communication cannot be intercepted and that the data request sender is the user itself, and not a malware. To ensure strong authentication, the PSD2 requires to secure the execution environment by tracking the security of users' mobile endpoints.
The Payment Card Industry Data Security Standard (PCI DSS)
The PCI Security Standards Council is a global organization that maintains, evolves and promotes an information security standard for organizations that handle credit card data across the globe. It specifically requires all merchants that use mobile payments to protect cardholder data by maintaining a secure environment. In its requirements for compliance, the standard states that mobile devices are not necessarily designed to be secure.
Requirement 5
Protecting all systems against malware and performing regular updates of anti-virus software (malware can enter a network through numerous ways, including Internet use, employee email, mobile devices or storage devices).
Requires the protection of mobile devices against malicious programs
Requirement 6
Developing and maintaining secure systems and applications. Vulnerabilities in systems and applications allow unscrupulous individuals to gain privileged access. Security patches should be immediately installed to fix vulnerability and prevent exploitation and compromise of cardholder data.
Requires auditing and fixing mobile application vulnerabilities
Requirement 5
Protecting all systems against malware and performing regular updates of anti-virus software (malware can enter a network through numerous ways, including Internet use, employee email, mobile devices or storage devices).
Requires the protection of mobile devices against malicious programs
Requirement 6
Developing and maintaining secure systems and applications. Vulnerabilities in systems and applications allow unscrupulous individuals to gain privileged access. Security patches should be immediately installed to fix vulnerability and prevent exploitation and compromise of cardholder data.
Requires auditing and fixing mobile application vulnerabilities
HEALTH DATA
The Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA applies to healthcare organizations operating the United States. It is a set of security rules that aim at safeguarding the privacy of patients and health plan subscribers. The following administrative safeguards of the Act require the protection of the mobile devices and applications used by healthcare organizations.
(a)(1)(ii)(D)
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
(a)(5)(ii)(A)
Install periodic security updates. (B) Procedures for guarding against, detecting, and reporting malicious software. (C) Enable logging and log alerting on critical systems.
(a)(6)(ii)
Implement policies and procedures to address security incidents. Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
Requires to regularly review information system activity, implement solutions to detect and mitigate security incident (including malicious software), alert in case of security incident.
(a)(1)(ii)(D)
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
(a)(5)(ii)(A)
Install periodic security updates. (B) Procedures for guarding against, detecting, and reporting malicious software. (C) Enable logging and log alerting on critical systems.
(a)(6)(ii)
Implement policies and procedures to address security incidents. Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
Requires to regularly review information system activity, implement solutions to detect and mitigate security incident (including malicious software), alert in case of security incident.
As every country has its own mobile data privacy rules, this list is not exhaustive. To know if our solutions can help comply with any other data privacy law, please contact us.