Yes, according to 201 CMR 17.04(5),"encryption of all personal information stored on laptops or other portable...
devices" is mandatory. Encryption is required for PDAs, BlackBerrys, or other mobile devices that contain protected data.
Fortunately, the state has also provided more details on encryption in the Massachsetts data protection laws in an FAQ , which states:
"Do all portable devices have to be encrypted?"
"No. Only those portable devices that contain personal information of customers or employees and only where technically feasible. The "technical feasibility" language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, BlackBerrys, netbooks, iPhones. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops."
I interpret this to say that these devices only need to be encrypted if:
- They have sensitive personal information on them, or;
- There exists a reasonable technology and method to encrypt them.
If there is no reasonable encryption method for the device, don't store personal information on it.
That being said, there are plenty of easy-to-use encryption technologies currently available for handheld mobile devices. The BlackBerry and the iPhone both support encryption natively, and there are encryption technologies such as PGP, Bitlocker or TrueCrypt (which is free) for netbooks as well. Thus, since there are available encryption options, your organization should encrypt those handhelds if they have personal information on them.
For more information:
Dig Deeper on Handheld and Mobile Device Security Best Practices
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.