Privacy and the PDA

EMPLOYEES AT ALMOST every rung of the corporate ladder have a wealth of company trade secrets, personnel information, sales data and financial projections on their laptop computers and PDAs. It is amazing to me that companies will take great care to keep confidential and sensitive information under lock and key in their offices, but they send employees to far-flung locations with the same information stored on their computer laptops, PDAs and other mobile devices.

Consider the PDA — a powerful hand-held device that can capture, store and transmit confidential information about customers, employees and business partners. In many cases, companies are using PDAs to make their sales force members more productive by enabling them to keep large amounts of customer data literally at their fingertips. However, in the rush to increase revenues, companies are not taking the time to train their employees on the privacy and security risks posed by PDAs.

The following scenario is an example of how a hard-working sales rep in a momentary lapse of judgment compromised the confidential information about his customers and business operations. The case is based on a real-life incident; names have been changed to protect the confidentiality of those involved.

Harvesting Sales with PDAs

Jake Watson was a sales representative for Highpoint, an agricultural products and farm equipment company headquartered in the Midwest. His territory covered a large part of southern Montana and Wyoming.

During the past 30 years, Jake developed close relationships with many of the local farmers and ranchers in the region. His success was based on his knowledge and friendship with the end-customer, usually the owner/operator of the farm or ranch.

Recently, Jake was selected to participate in a pilot sales program at Highpoint. The company started to test automation tools for the field sales force to manage and track customer orders. In addition to sales management, the tools provided online information about crops and weather forecasts to share with customers during sales calls.

After two days of training, Jake received his new state-of-the-art PDA. Each PDA had wireless communication capability to send and receive data from the field. Jake knew that the company had a strict information security policy, but he didn't consider the PDA a "computer." So, in addition to business purposes, Jake used his PDA for e-mail, Web surfing and video poker. Jake knew that his PDA had password and screen saver options, but didn't see the need to use them because it was inconvenient and required a log-on step every time the device was accessed or turned "on." Besides, only he had access to the PDA.

One day while travelling to his appointment, Jake realised that his PDA was gone. He remembered that he'd either left it on the table at the diner where he'd had breakfast, or it might have fallen out of his holster when he climbed into the cab of his truck. To avoid getting into big trouble with his supervisor, Jake purchased an identical PDA. His friends at the home office downloaded all the sales automation software for him. Later, Jake downloaded his personal favourites, including video games.

It turned out that two teenagers found Jake's PDA in the diner. They didn't see any reference to the owner, so they decided to keep it.

One of the teenagers considered himself a computer geek and studied the PDA. He quickly obtained confidential information about farms and ranches in the immediate area, and gained high-level access to Highpoint's worldwide network.

Three weeks later, the IT manager found that the company's computer systems were hacked. This resulted in widespread corruption of data used to feed sales force PDAs with confidential information about the customers and their business operations. Much of this sensitive customer data couldn't be restored and resulted in lost business opportunities and sales.

Farmers and ranchers around the country learned about the hacking incident at Highpoint in a breaking news story on TV. A significant number of Highpoint customers protested the collection use of their confidential personal and business data to the company without their permission. Many of them considered their conversations with the sales rep as completely private and not a data-collection activity for big business.

Jake's authentication was ultimately identified as the source of the hacking event. When confronted, Jake told the whole story about his lost PDA, never realising the significant exposure or risk this device created for Highpoint. Just before getting the news about his termination from Highpoint, Jake asked his sales manager, "If the loss of one little PDA creates such a big stir, why didn't we get better instruction or training on security?"

———————————————————————————————————————— Dr Larry Ponemon is chairman and founder of Tucson-based Ponemon Institute, a think tank dedicated to advancing ethical information and privacy management practices in business and government. He is also a partner with Peppers Rogers Group, a leading strategic management consulting firm focusing on responsible information management practices.


Copyright © 2003 IDG Communications, Inc.

The 10 most powerful cybersecurity companies