Canadian government changes data device guidelines

Unsecured mobile data devices are a serious security risk, something the Canadian government is affirming this week by releasing new guidelines for use of such equipment.

The directives handed down by Human Resources and Skills Development Canada (HRSDC) still allows for use of USB and other portable drives, but requires some to have biometric encryption, or be encrypted and password protected. In some cases, the devices don’t need such protection but management clearance is required before they can be used.

The news comes on the heels of a major data breach, after the personal information of nearly 600,000 Canadian Student Loan recipients was exposed last year when a federal department employee lost an external hard drive. A USB drive with information on 5,000 disability pension applicants was also recently lost by the HRSDC.

As pointed out by Postmedia News, the new rules essentially leave it up to workers to utilize technology wisely. Interestingly, a recently leaked internal memo from Public Safety Canada warns government employees about sending PIN-to-PIN messages, stating the method is unsecure and transmissions could be intercepted by other BlackBerry users.

“Although PIN-to-PIN messages are encrypted, they key used is a global cryptographic ‘key’ that is common to every BlackBerry device all over the world,” stated the memo. “Any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device.”

What wasn’t pointed out by Public Safety Canada is that BlackBerry does offer customizable security options to secure data, and that there are ways to encrypt messages that only allow them to be read by devices on the same network. Oh, and as noted by The Register, this “news” isn`t really news at all.