Not just a matter of a lost PalmPilot...

Apersonal diary assistant (PDA) is no longer just a simple electronic aide memoire, but a small computer of increasing power and sophistication. The current crop of PalmPilots have a memory capacity of 8MB and can store 10,000 addresses, 400 emails and 3,000 documents with notes. They are carrying more corporate data, more personal data - and are increasingly a popular target for theft.

The only solution to this threat is encryption. This is clearly the way to protect communications. It won't stop eavesdroppers (whether government-sponsored Echelon, profit-driven industrial spies or good old hackers) from intercepting your messages, but it will stop them gaining anything useful from them.

But encrypting communications is no longer enough. You also need to encrypt the data stored on the PDA to keep on the right side of the law. PDAs are easily lost or stolen. This was recently illustrated by Taxi Newspaper and Pointsec Mobile Technologies in a survey which found a staggering 2,900 laptops, 1,300 PDAs and more than 62,000 mobile phones had been left in London's licensed taxi cabs in the past six months.

Unless data is encrypted, it could not only prove costly, but could result in a criminal conviction. What is happening to laptops today will happen to PDAs tomorrow.

The number of high-profile laptop thefts is frightening and growing. In the US, a computer insurer has estimated that 5% of all laptops are stolen within their first 12 months of service. Last year, The Mirror newspaper reported at least 37 UK government laptops had been lost or stolen since 1997. We have to wonder just how many unreported thefts actually occur.

Mandatory protection
While it is advisable to encrypt the data stored on your PDA, within the European Union it may in fact be a legal requirement. Such devices are frequently used to store company contact information - a home address, mobile phone number and even home phone number. In other words, personal information that needs to be registered under, and is liable to the strictures of, the Data Protection Act 1998.

The seventh principle of this Act is unequivocal: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

First of all, it is worth considering who is liable under this Act. Conformance to the Act is the responsibility of the data controller - "a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed".

In other words, the "person or persons" is effectively the board and the immediate data-processing managers.

Company is liable
One thing it isn't is the person who "owns" the computer or PDA. If the data is on the PDA by company assent, then it is the company that is determining the purposes for and manner in which it is to be processed - and it is therefore the company that is liable.

Therefore, if your PDA gets into the wrong hands, it could land your boss in court. But if the data is on the PDA without company assent, then the firm has already broken the Act by failing to protect "against accidental loss or destruction of, or damage to, personal data".

A consultant to the e-commerce group of City law firm Fox Williams, Nicholas Bohm, says: "If it's company data being used by an employee on company business, then the company in principle controls it (through the employee's duties of fidelity, following the rulebook, etc) and must make rules and provide systems that protect it from unauthorised use or disclosure."

In other words, the company is still liable. Quite simply, there is no way round this - if employees use PDAs that include contact information, the company is liable to the conditions of the Act. Once again, it is worth considering the wording of the Act: "Where an offence has been committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly."

Basically, this will mean the company director.

What actually constitutes appropriate technical and organisational measures is something that ultimately can only be defined by the courts - but it would be best not to let it get that far. It seems clear that "organisational measures" could be covered by a formal written and enforced security policy designed to protect the PDA and its data.

Appropriate technical measures are more difficult. If we were talking about the corporate mainframe, the appropriate measure would be a firewall. Vendors are working on chip-based firewalls that can be built into PDAs, but they are not there yet. So for PDAs, we need something else - and all we really have is encryption.

The rule of thumb
Encrypted data is safe data. Confidential information is hidden from industrial spies and hackers alike. It is advisable, though not compulsory. However, if the PDA contains contact information, then you must seriously consider its liability under the Data Protection Act. In this case, encryption is almost compulsory.

Strong wireless security devices are being used by companies more frequently than ever, with products such as Pointsec for Palm OS, which combines access control with encryption for mobile devices. It means organisations can have one security system which protects a range of handheld computers, laptops and PCs from unauthorised users as well as keeping companies compliant with EU and UK legislation. Thus putting an end to embarrassing and potentially damaging leaks of information from wireless devices and potentially landing the company on the wrong side of the law.