Enterprise Strategy Group | Getting to the bigger truth.TM

Open E-mail Encryption Issue with Massachusetts CMR 201 17

I phoned a security professional friend the other day to discuss e-mail encryption implementation and she brought up an interesting question. The new Massachusetts data privacy law (aka CMR 201 17) requires that:

  1. Private data stored on laptops must be encrypted
  2. Private data that is transmitted must be encrypted

So here are a few scenarios in question:

  1. What if I have private data on my laptop and I want to e-mail it to a fellow employee who sits three cubicles away from me. Should this e-mail be encrypted?
  2. If I want to send this private data in an e-mail to an external party, it appears like I have to encrypt the data from the time it leaves my PC until the time it is received by someone on the other end.

As I understand it, less than 10% of all e-mail is encrypted today at organizations with e-mail encryption deployed. If scenario #1 is true, then e-mail encryption must become an e-mail staple as a high percentage of internal e-mail messages must be encrypted. If scenario #2 is true, then e-mail encryption gateway solutions don’t meet compliance requirements. This means new deployments of e-mail encryption clients and potentially CAs, PKI, revocation lists, digital certificates, etc.

I don’t know whether either scenario is true so I’d appreciate reader comments and opinions. Thanks.

Related posts:

  1. Symantec Moving to Define an Encryption Architecture
  2. Open source and ESG
  3. Forensics, Litigation, and Full Disk Encryption
  4. Massachusetts Delays Its Data Privacy Compliance Deadline — Again!
  5. CA Enters Encryption Key Management Market

Tags: email, , MA CMR 201 17

All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.

One Response to “Open E-mail Encryption Issue with Massachusetts CMR 201 17”

  1. stephen sillari says:

    yes, PII and PCI must be encrypted, not matter how far the data travels, even one cubicle. look at PGP for email encryption.

    Reply

Add a comment

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site