Mobility breeds new security risk

The ability to carry vast amounts of data in small but easily misplaced items such as computer memory sticks and mobile e-mail devices has transformed the way Americans work, but it has also increased the risk that a forgotten BlackBerry or lost cellphone could amount to a major security breach.

Worried that sensitive information could ride off in the back of a taxicab, companies are peeling back some of the convenience of mobile devices in favor of extra layers of password protection and other restrictions. Some are installing software on their networks to make it impossible to download corporate information to a portable device or a memory stick, a plug-in device that holds data for use on other computers.

Wireless providers are developing weapons to use against their own products, including digital ''neutron bombs" that can wipe out information from afar so one misplaced device doesn't translate into corporate disaster.

It's a nightmare that individuals and corporations fret about when their mobile e-mail or handheld devices go missing or fall into the wrong hands. With the swift stroke of a keypad, someone's e-mail, corporate data, and business contacts can be laid bare for others to see -- and potentially abuse.

Personal devices ''are carrying incredibly sensitive information," said Joel Yarmon, who, as technology director for the staff of Senator Ted Stevens, a Republican from Alaska, had to scramble after a colleague lost one of the office's wireless messaging devices. In this case, the data included ''personal phone numbers of leaders of Congress. . . . If that were to leak, that would be very embarrassing," Yarmon said.

A couple of years ago, David Yach and all the other workers at his Canadian company woke up to an e-mail full of expletives from an otherwise mild-mannered female employee.

But it was not sent by the woman. A thief had broken into her home, commandeered her BlackBerry, and sent the note, said Yach, vice president of software at Research in Motion Ltd., the company that makes the BlackBerry, a cellphone that allows e-mail to be sent and received.

''It's terrifying," said Mark Komisky, chief executive of Baltimore's Bluefire Security Technologies Inc., who recently lost his iPaq 6315 Pocket PC in a cab or at O'Hare International Airport in Chicago. The device, a small pocket phone with a miniature keyboard, contained his e-mail, details of his company's strategy, Social Security numbers of his wife and son, and phone numbers for high-level executives at companies with which Bluefire does business, such as Intel Corp.

''I got off the plane in Baltimore and did the pat down and didn't have it," he said. ''It's bad," even for the head of a firm that sells security services for companies and government agencies trying to secure their wireless devices. At 10:30 p.m., he called a technician at Bluefire, who erased the information on the iPaq remotely.

Companies are seeking to avoid becoming the latest example of compromised security. Earlier this year, a laptop computer containing names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen from an MCI financial analyst's car in Colorado. In another case, a former Morgan Stanley employee sold a used BlackBerry on the online auction site eBay with confidential information still stored on the device.

To combat the problem, security companies have come up with ways to install layers of password protection and automatic locks on devices. Others market the ability to erase data over the air once the device is reported lost. In Japan, cellphone carrier NTT DoCoMo Inc. started selling models that come with fingerprint scanners to biometrically unlock phones.

Some companies suffer only embarrassment from such incidents. But for public companies or financial firms, a lost device could mean violation of the Sarbanes-Oxley Act, which requires strict controls over disclosure of financial information. For doctors and health care companies, the loss of customer data compromises patient confidentiality, protected by the Health Insurance Portability and Accountability Act.

Potential security breaches are made scarier by the greater reliance on mobile devices.

''I hear less about the cost of the devices, because it really is a pittance, but I really do hear more about the potential cost of someone gaining access to corporate data," said Kenny Wyatt, a vice president for Sprint Corp., which helps some of its business customers manage the security of wayward devices.

In Chicago, 160,000 portable devices are left in taxicabs every year, according to a survey by Pointsec Mobile Technologies, a security software firm. Fifty to 60 percent of those are reunited with their owner, according to the firm, which polled cab companies.

Yarmon, the staffer for Stevens, said he sends an e-mail every few months reminding colleagues to install passwords. ''That is my worst fear," he said, ''for a user to have it fall into the hands of somebody who disseminates it or uses that information against my boss."