Enterprise Strategy Group | Getting to the bigger truth.TM

Open E-mail Encryption Issue with Massachusetts CMR 201 17

I phoned a security professional friend the other day to discuss e-mail encryption implementation and she brought up an interesting question. The new Massachusetts data privacy law (aka CMR 201 17) requires that:

  1. Private data stored on laptops must be encrypted
  2. Private data that is transmitted must be encrypted

So here are a few scenarios in question:

  1. What if I have private data on my laptop and I want to e-mail it to a fellow employee who sits three cubicles away from me. Should this e-mail be encrypted?
  2. If I want to send this private data in an e-mail to an external party, it appears like I have to encrypt the data from the time it leaves my PC until the time it is received by someone on the other end.

As I understand it, less than 10% of all e-mail is encrypted today at organizations with e-mail encryption deployed. If scenario #1 is true, then e-mail encryption must become an e-mail staple as a high percentage of internal e-mail messages must be encrypted. If scenario #2 is true, then e-mail encryption gateway solutions don’t meet compliance requirements. This means new deployments of e-mail encryption clients and potentially CAs, PKI, revocation lists, digital certificates, etc.

I don’t know whether either scenario is true so I’d appreciate reader comments and opinions. Thanks.

Related posts:

  1. Symantec Moving to Define an Encryption Architecture
  2. IBM: An Encryption Key Management Leader
  3. Forensics, Litigation, and Full Disk Encryption
  4. Open source and ESG
  5. CA Enters Encryption Key Management Market

Tags: email, , MA CMR 201 17

All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.

2 Responses to “Open E-mail Encryption Issue with Massachusetts CMR 201 17”

  1. stephen sillari says:

    yes, PII and PCI must be encrypted, not matter how far the data travels, even one cubicle. look at PGP for email encryption.

    Reply
  2. Adam says:

    I agree with Mr. Sillari, yes, it doesn’t matter what the distance traveled is. And your second scenario is oftentimes the hardest part of compliance – because even if you use one encryption solution, who says the party receiving your email is using the same program?

    Therefore, it’s worthwhile to do some research into an encryption solution that works with your company.

    Reply

Add a comment

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site