Legislating Encryption

By  Chris Hazelton
In the first of this two-part series, 451 Group's Chris Hazelton examines new laws that are calling for encryption of data on all forms of mobile devices. In Part Two, he discusses the steps enterprises can take to protect themselves from running afoul of these regulations.

The state of Massachusetts is preparing to enact regulations mandating encryption of customer data that travel outside a company's premises. The deadline to conform to the regulation is set for January 1, 2010. This is the third deadline proposed for 201 CMR 17.00, but it may not be the last -- the state of New Jersey took two years to pass a less expansive law. While the deadline may be ill defined, its impact is not. Any company that has customers in the state of Massachusetts will fall under this law, regardless of the state in which they're incorporated. The regulators believe that for this regulation to be most effective, its reach cannot be limited to the borders of Massachusetts.

This is not the first time a state has attempted to protect personal information. California passed a law in February 2002 that mandates public disclosure of lost or stolen customer data. Nevada passed a law in October 2008 that vaguely requires the encryption of customer data that is electronically transmitted outside "the secure system of a business."

The key difference with the Massachusetts law is that customer records of a state resident must be encrypted no matter how this information travels outside of a company. The definition of a customer record is a resident's full name and a driver's license number, social security number, or any "financial account number."

The vagueness of the last criteria is designed to provide the greatest flexibility in enforcing this regulation. While Nevada regulation focuses on data transmitted over networks, Massachusetts specifically targets data at rest on "laptops or other portable devices." It is not a stretch to see 'portable devices' also including smartphones, given their rapidly increasing storage capabilities and significant presence in the enterprise.

Unlike prior attempts to mandate encryption, the Massachusetts regulation hits squarely at the mobile device. It mandates the need to actively manage devices outside the corporate firewall. It points to a need for protection of both data at rest and OTA. This means companies need to own and actively manage smartphones used by their employees, and make sure these devices are suitable when it comes to encryption of customer data. The ultimate goal of the regulation is to go beyond data at rest on the device, and have all data on a secure server, with thin client or SaaS access to customer data, whereby no personally identifiable information as outlined by Massachusetts, is left on a laptop or smartphone.