Q

Encryption of mobile devices under Massachusetts data protection law

BlackBerrys and iPhones are everywhere, but under the new Massachusetts data protection law, is it necessary to encrypt their contents? Learn more in this response from security management expert David Mortman.

Is there anything in the new Massachusetts state laws for data protection going into effect March 1, 2010, about email encryption or protection needed for PDAs, BlackBerrys and the like?

Yes, according to 201 CMR 17.04(5),"encryption of all personal information stored on laptops or other portable devices" is mandatory. Encryption is required for PDAs, BlackBerrys, or other mobile devices that contain protected data.

Fortunately, the state has also provided more details on encryption in the Massachsetts data protection laws in an FAQ , which states:

    "Do all portable devices have to be encrypted?"

    "No. Only those portable devices that contain personal information of customers or employees and only where technically feasible. The "technical feasibility" language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, BlackBerrys, netbooks, iPhones. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops."

I interpret this to say that these devices only need to be encrypted if:

  1. They have sensitive personal information on them, or;
  2. There exists a reasonable technology and method to encrypt them.

If there is no reasonable encryption method for the device, don't store personal information on it.

That being said, there are plenty of easy-to-use encryption technologies currently available for handheld mobile devices. The BlackBerry and the iPhone both support encryption natively, and there are encryption technologies such as PGP, Bitlocker or TrueCrypt (which is free) for netbooks as well. Thus, since there are available encryption options, your organization should encrypt those handhelds if they have personal information on them.

For more information:

  • Learn more about interpreting "risk" in the Massachusetts data protection law.
  • Also, check out the basics of the Mass. data protection law.
  • This was first published in December 2009

    Dig deeper on Handheld and Mobile Device Security Best Practices

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close