I phoned a security professional friend the other day to discuss e-mail encryption implementation and she brought up an interesting question. The new Massachusetts data privacy law (aka CMR 201 17) requires that:

1. Private data stored on laptops must be encrypted
2. Private data that is transmitted must be encrypted

So here are a few scenarios in question:

1. What if I have private data on my laptop and I want to e-mail it to a fellow employee who sits three cubicles away from me. Should this e-mail be encrypted?
2. If I want to send this private data in an e-mail to an external party, it appears like I have to encrypt the data from the time it leaves my PC until the time it is received by someone on the other end.

As I understand it, less than 10% of all e-mail is encrypted today at organizations with e-mail encryption deployed. If scenario #1 is true, then e-mail encryption must become an e-mail staple as a high percentage of internal e-mail messages must be encrypted. If scenario #2 is true, then e-mail encryption gateway solutions don’t meet compliance requirements. This means new deployments of e-mail encryption clients and potentially CAs, PKI, revocation lists, digital certificates, etc.

I don’t know whether either scenario is true so I’d appreciate reader comments and opinions. Thanks.

Related posts:

1. Symantec Moving to Define an Encryption Architecture
2. Open source and ESG
3. Forensics, Litigation, and Full Disk Encryption
4. Massachusetts Delays Its Data Privacy Compliance Deadline — Again!
5. CA Enters Encryption Key Management Market

Tags: email, encryption, MA CMR 201 17