Security Breach Laws & Smartphones/Handhelds

[James H Moore <jhmfa () RIT EDU>]

New York state's new security breach law has language in it surrounding the loss of control of a devices with 
unencrypted personal information on it.
 
How are people approaching things.
 
My reaction is to say
1) No confidential information on the device.  But people are using it to receive email, and the assumption by some 
people at the institute is that since you can use encrypted MAPI and IMAP, then sending confidential information 
through email to others on campus is OK.  The problem is that with smartphones, etc, the people get their email from 
off campus, often with a server in between.   So bottom line is that confidential information to handhelds/smartphones 
is not regulated in any manner.  (But there is a benefit - people can stay in touch better when they are on the road.)
 
2) If there is confidential information on the smartphone/handheld, then there needs to be:
(Based on marketing literature, not experience)
a) Anti-virus
b) Encryption
c) A firewall
 
This is where I need the voice of experience.  Does anyone have success with a smartphone/handheld architecture?  Will 
you be willing to share your helpdesk, or awareness, or training materials with RIT?
 
Thanks,
 
Jim
- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

""In the middle of difficulty lies opportunity." Albert Einstein

"The release of new internet threats have not created a new problem. It has merely made more urgent the necessity of 
solving an existing one." Parallels quote by Albert Einstein on atomic energy