Yes, according to 201 CMR 17.04(5),"encryption of all personal information stored on laptops or other portable devices" is mandatory. Encryption is required for PDAs, BlackBerrys, or other mobile devices that contain protected data.
Fortunately, the state has also provided more details on encryption in the Massachsetts data protection laws in an FAQ , which states:
- "Do all portable devices have to be encrypted?"
"No. Only those portable devices that contain personal information of customers or employees and only where technically feasible. The "technical feasibility" language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, BlackBerrys, netbooks, iPhones. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops."
I interpret this to say that these devices only need to be encrypted if:
- They have sensitive personal information on them, or;
- There exists a reasonable technology and method to encrypt them.
If there is no reasonable encryption method for the device, don't store personal information on it.
That being said, there are plenty of easy-to-use encryption technologies currently available for handheld mobile devices. The BlackBerry and the iPhone both support encryption natively, and there are encryption technologies such as PGP, Bitlocker or TrueCrypt (which is free) for netbooks as well. Thus, since there are available encryption options, your organization should encrypt those handhelds if they have personal information on them.
For more information:
This was first published in December 2009