Blackout is a security and compliance technology that restricts the functionality of smart devices within defined spaces, placing control in the hands of system administrators.
The growth of bring your own device (BYOD) policies has enabled work-related communications to evade oversight. Blackout helps organisations to eliminate unrecordable communications within regulated workspaces by limiting its creation and, with it, the requirement to capture the data.
Blackout enhances the ability of compliance teams to meet their obligations to regulators, such as the FCA and SEC and comply with evolving regulations, including MiFID II, MiFIR, the GDPR and PCI DSS.
The FCA Handbook is clear on managing electronic communications in regulated firms, requiring: “reasonable steps to prevent an employee or contractor from making, sending or receiving relevant telephone conversations and electronic communications on privately owned equipment which the firm is unable to record or copy.”
Regulated firms typically focus on recording all emails and phone calls over work devices. But the advent of personal devices at work makes communications into and out of the firm harder to police.
In Europe, the 2008 financial crisis decimated trust in the financial services sector, resulting in a recasting of the Markets in Financial Instruments Directive, known as MiFID II and the accompanying MiFIR regulations. These far-reaching new rules aim to strengthen investor protection, prevent market abuse, increase transparency and re-establish consumer trust. They provide a legislative framework to leverage disclosure and reporting as regulatory tools and introduce robust compliance obligations for firms operating within the EU. Some of the most contentious aspects of the new regulations concern the use of communications recording - both in terms of the scope of communications that must be recorded and the requirement for firms to monitor recordings in order to remain compliant.
The GDPR requires personal data to be processed securely, protecting against unauthorised or unlawful processing, accidental loss, destruction, or damage. It requires that appropriate technical or organisational measures are used. Companies have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into your processing activities. Additionally, the Data Protection Act states:“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.
Data Loss Prevention (DLP) aims to prevent sensitive information from leaving an organisation. DLP strategies must include solutions that monitor, detect and block unauthorised information flows.
Data loss incidents turn into data leakage incidents in cases where media containing sensitive information is disseminated and subsequently acquired by an unauthorised party.
Corporate data loss typically arises from careless or malicious employee actions. Rather than an attacker exploiting the device or tricking the victim into sharing data, many users make use of vulnerable unsanctioned services for work purposes.
Many mobile security solutions enable organisations to control access to different services, but don't prevent the use of encrypted messaging, browsers and cameras, compromising the workplace environment. Implementing Blackout can help compliance teams meet legislative requirements, such as GDPR, MiFID II, FCA, PCI DSS.