A recent survey of IT professionals revealed that 40 percent can't determine whether they're complaint with laws protecting data stored on mobile devices.
According to a report released Tuesday, named “The Risk of Regulated Data on Mobile Devices,” only 12 percent of practitioners said their organizations were in “substantial” compliance with laws that protect regulated mobile data, while 17 percent said they weren't in compliance with applicable laws and regulations at all.
Conducted by the Ponemon Institute, the report surveyed 798 IT and IT security practitioners at U.S. organizations who are familiar with their company's efforts to comply with privacy and data protection requirements and regulations. The study was sponsored by WatchDox, a Palo Alto, Calif.-based firm that offers document tracking and compliance solutions.
Larry Ponemon, chairman and founder of the Ponemon Institute, told SCMagazine.com on Monday that the responses reflected that security staff needs more help defining what they should do to strengthen their entity's level of compliance – rather than a set of rules that explain how they could break the law or be fined.
“A lot of the regulations are not necessarily prescriptive,” Ponemon said. “Unless you tell [security practitioners] exactly what they are supposed to do, breaking it into little components, you find that the organizations cover compliance very broadly."
While a fair percentage of respondents, 40 percent, said the industry-driven Payment Card Industry Data Security Standard (PCI DSS) offered specific requirements for protecting regulated data on mobile devices, respondents weren't satisfied with the prescriptive nature of some federal regulations.
Eight percent of respondents felt Sarbanes–Oxley, a U.S. law setting standards for public company boards, management and accounting firms, laid out necessary guidance. Seven percent said the same of the Fair Credit Reporting Act, which regulates the sharing and collection of consumer credit report information.
And two percent of those surveyed believed that the U.S. Securities and Exchange Commission, the federal body that regulates the country's stock exchanges and investment practices, specified how their organization should go about protecting regulated mobile data.