EMM and the Law

EMM recommended under California cyber-security law

EMM is the recommended approach for implementing the foundational Critical Security Controls for mobile devices as required by California law. Download white paper here.

Companies handling personal data in the United States do not have the luxury of looking to a single law or regulatory scheme for definitive guidance on the scope of their security and privacy obligations. However, the California Data Breach Report is an example of how enterprise mobility management (EMM) is increasingly becoming a best practice for compliance with these obligations.

In the February 2016 Data Breach Report, the California Attorney General outlines a standard that recommends mobile device management (MDM) as a means to protect information security and privacy in a mobile computing environment. MDM is a component of an enterprise mobility management (EMM) solution. The 2016 Data Breach Report can be found at https://oag.ca.gov/breachreport2016.

Minimum required level of information security

The 2016 Data Breach Report outlines the standard for the minimum required level of information security with which businesses must comply to satisfy California’s information security and privacy law. This standard applies to all companies that process or maintain sensitive personal information of California residents. Most companies that have customers in California, especially if they are consumer businesses, will store such data. Historically, California has been an influential state in establishing cyber-security legislation, so other states might also be monitoring these evolving legal requirements.

Under California data security law, companies that process sensitive personal information must implement “reasonable security procedures and practices…to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.” The 2016 Data Breach Report identifies the twenty Critical Security Controls published by the Center for Internet Security (CIS) as “the minimum level of information security that all organizations that collect or maintain personal information should meet.” The report specifically notes that “a failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

The Controls were not originally developed with mobile in mind, but they have now been updated to reflect the new security and privacy requirements of enterprise mobility. In the Mobile Security Companion to the CIS Critical Security Controls, CIS states that many organizations don’t fully understand the security risks of mobile. This companion document provides a framework to mitigate these risks and can be found at https://www.cisecurity.org/critical-controls.cfm.

EMM is a proactive approach to legal compliance

The top five Critical Security Controls for mobile all recommend the use of mobile device management, a core component of EMM, as a method for compliance. The EMM and the Law white paper (download here) has detailed information about these Controls and how to use MDM for compliance.

A proactive approach to legal compliance is always preferable to a reactive one. EMM has traditionally been central to a company’s mobile security strategy. Now, as enterprise mobility and the law intersect, EMM also becomes central to a company’s compliance strategy.

EMM is not optional.

(Download the EMM and the Law white paper here for more details.)

Laurel Finch