I phoned a security professional friend the other day to discuss e-mail encryption implementation and she brought up an interesting question. The new Massachusetts data privacy law (aka CMR 201 17) requires that:
So here are a few scenarios in question:
As I understand it, less than 10% of all e-mail is encrypted today at organizations with e-mail encryption deployed. If scenario #1 is true, then e-mail encryption must become an e-mail staple as a high percentage of internal e-mail messages must be encrypted. If scenario #2 is true, then e-mail encryption gateway solutions don’t meet compliance requirements. This means new deployments of e-mail encryption clients and potentially CAs, PKI, revocation lists, digital certificates, etc.
I don’t know whether either scenario is true so I’d appreciate reader comments and opinions. Thanks.
Related posts:
Tags: email, encryption, MA CMR 201 17
yes, PII and PCI must be encrypted, not matter how far the data travels, even one cubicle. look at PGP for email encryption.
I agree with Mr. Sillari, yes, it doesn’t matter what the distance traveled is. And your second scenario is oftentimes the hardest part of compliance – because even if you use one encryption solution, who says the party receiving your email is using the same program?
Therefore, it’s worthwhile to do some research into an encryption solution that works with your company.
Name (required)
Mail (will not be published) (required)
Website
Your email: