Re: Laptop encryption experiences

[Allison F Dolan <adolan () MIT EDU>]

Randy

Like all good regulations, the wording is ambiguous.  

The whole 'Computer System Security Requirements' section is prefaced with 'the extent technically feasible', and the 
specific reference to laptops is simply  "Encryption of all personal information stored on laptops or other portable 
devices"

In talking with the regulators, it sounded like their thinking was influenced by the number of lost or stolen laptops, 
USBs and such, and thus they were thinking of the situation when the machine is powered off.  Since MA doesn't have an 
automatic safe harbor for encryption, there are those who believe that if you can show that the data was encrypted at 
the time of the loss/theft, then the AG may agree you don't need to notify. 

(Given the limitations of FDE, we really push the mantra " you can't lose what you don't have"; if you have to have 
such info, then there is a laundry list of requirements, including, but not limited to, FDE on laptops)
  
......Allison  Dolan (617-252-1461)



On Nov 16, 2010, at 1:37 PM, randy marchany wrote:

> Alison, you hit on my point about FDE? Is it really compliance? It seems to me that FDE complies with the MA law only 
> if the laptop is powered off. Does FDE comply when you're using the computer? Not familiar with the MA wording so 
> that's why I'm asking. Do you need some other encryption tool (truecrypt, PGP Netshare, GPG, etc.) to be compliant 
> when the machine is in use?
>
> -r.
>
> On Tue, Nov 16, 2010 at 7:29 AM, Allison F Dolan <adolan () mit edu> wrote:
> Rich - one reason to consider FDE is compliance related - in Massachusetts, there is a regulatory requirement to 
> encrypt personal data on laptops (and other portable devices)  and in other states, if the lost/stolen laptop has 
> been encrypted, then you don't need to notify
>
> ......Allison  Dolan (617-252-1461)

Attachment: smime.p7s
Description: