Ask the Expert

Encryption of mobile devices under Massachusetts data protection law

Is there anything in the new Massachusetts state laws for data protection going into effect March 1, 2010, about email encryption or protection needed for PDAs, BlackBerrys and the like?

    Requires Free Membership to View

Yes, according to 201 CMR 17.04(5),"encryption of all personal information stored on laptops or other portable devices" is mandatory. Encryption is required for PDAs, BlackBerrys, or other mobile devices that contain protected data.

Fortunately, the state has also provided more details on encryption in the Massachsetts data protection laws in an FAQ , which states:

    "Do all portable devices have to be encrypted?"

    "No. Only those portable devices that contain personal information of customers or employees and only where technically feasible. The "technical feasibility" language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, BlackBerrys, netbooks, iPhones. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops."

I interpret this to say that these devices only need to be encrypted if:

  1. They have sensitive personal information on them, or;
  2. There exists a reasonable technology and method to encrypt them.

If there is no reasonable encryption method for the device, don't store personal information on it.

That being said, there are plenty of easy-to-use encryption technologies currently available for handheld mobile devices. The BlackBerry and the iPhone both support encryption natively, and there are encryption technologies such as PGP, Bitlocker or TrueCrypt (which is free) for netbooks as well. Thus, since there are available encryption options, your organization should encrypt those handhelds if they have personal information on them.

For more information:

  • Learn more about interpreting "risk" in the Massachusetts data protection law.
  • Also, check out the basics of the Mass. data protection law.
  • This was first published in December 2009

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: