For several years there has been a full court press to ensure the security of data and in particular, data that included protected health information (PHI) of individuals. This spotlight on security has shown brightest on the healthcare arena. In what has become a regular occurrence, the scope of privacy laws has been expanded and the penalties for failure to maintain the security of data have been increased.
One often cited weak link in most security systems has been the transmission of data through handheld devices such as a smartphone. For a long time, the security systems of most handheld devices were below industry standards, raising the concern that the devices were susceptible to hacking and data breach. In response to such concerns, companies such as Apple and Google have invested heavily in enhancing the security aspects of their devices. Unfortunately, it now appears that they have done their job too well.
Recently, Apple announced that its latest operating system, iOS 8 would no longer permit a bypass of user passwords. Google’s upgraded Android system incorporated similar technology. Shortly thereafter, the Federal Bureau of Investigation (FBI) raised concerns that such security systems worked so well that they were concerned that the adoption of such privacy systems could hinder criminal investigations.
It is still too early to predict who will prevail in the struggle between data security and national security. However, if the FBI prevails and does not permit utilization of state of the art security measures, it is possible that a defendant defending a data breach through a smartphone, could argue that but for the government’s restriction on use of available security measures, such breach could have been prevented.
Issues such as the scope of technological advances in both the data security and national security area, and the federal government's willingness to allow companies to utilize all of the security technology available to them, will require careful attention to company security compliance plans. At this time, any company with sensitive data should continue to monitor and work with its data security team to insure that its client’s security systems and compliance evolve with changes in technology and related laws.