You're a lawyer looking for more information on how to secure your laptop, as required under 201 CMR 17.00. The law, going into effect on March 1, 2010, requires the use of laptop encryption software for any portable computers that contain sensitive data (which is defined by law as well. See the definition for "personal information" on page 2 of this PDF file). You're probably wondering, what kind of encryption, though? As a lawyer, you should read this and this prior to doing anything, if you haven't done so already. As you'll note from the dates, these are the Massachusetts data protection laws, with the latter being a short explanation for the lay person--not just non-lawyers, but non-techies as well.
You're a lawyer looking for more information on how to secure your laptop, as required under 201 CMR 17.00. The law, going into effect on March 1, 2010, requires the use of laptop encryption software for any portable computers that contain sensitive data (which is defined by law as well. See the definition for "personal information" on page 2 of this PDF file).
You're probably wondering, what kind of encryption, though? As a lawyer, you should read this and this prior to doing anything, if you haven't done so already. As you'll note from the dates, these are the Massachusetts data protection laws, with the latter being a short explanation for the lay person--not just non-lawyers, but non-techies as well.
Obviously, what I'm about to say is not legal advice--most especially because I'm not a lawyer. However, this should aid you somewhat when looking to company with the Massachusetts regulations regarding personal information protection and encryption software for your laptop computers. As an attorney, you're not immune from complying with 201 CMR 17.00.Taken verbatim from the FAQ: I am an attorney. Do communications with clients already covered by the attorney-client privilege immunize me from complying with 201 CMR 17.00?If you own or license personal information, you must comply with 201 CMR 17.00 regardless of privileged or confidential communications. You must take steps outlined in 201 CMR 17.00 to protect the personal information taking into account your size, scope, resources, and need for security. Laptop computers storing personal information must be encrypted.Under 201 CMR 17.04 (5)--and as pointed out in the FAQ under "Do all portable devices have to be encrypted?"--laptop computers must be encrypted if personal information is stored on it. The FAQ notes that encryption software exists for laptops, so the technical feasibility clause is met. There's no specific encryption product you're supposed to use.Lifted directly from the FAQ, "the definition of encryption has been amended to make it technology neutral so that as encryption technology evolves and new standards are developed, this regulation will not impede the adoption of such new technologies"--the emphasis is mine.Now, that's great going forward and all, but this doesn't actually give you handy specs you can look up, make comparisons with, etc. that allows you to be in compliance today. This is where I make my observation (not recommendation).Currently, the encryption standard is AES-128 or equivalent, or higher. You'll find security experts who disagree with that statement, but I've found that they're far and few in between--not to mention that AES-128 is still offered by the major encryption providers, so it's still good (major encryption companies won't offer something they know is deficient). AES (Advanced Encryption Standard) was adopted and is currently used as an encryption standard by the US government.To emphasize once more: you should look for something that's equivalent to AES-128 or higher. Don't be fooled by the number! AES-256 is (arguably) more secure than AES-128, but if you find something along the lines of DKX-4000 (this is made up, by the way), just because 4000 happens to be a bigger number than 128 doesn't necessarily mean it's more secure than AES. Password-protection is NOT encryption.Taken verbatim from the FAQ, again: I password protect data when storing it on my laptop and when transmitting it wirelessly. Is that enough to satisfy the encryption requirement?No. 201 CMR 17.00 makes clear that encryption must bring about a “transformation of data into a form in which meaning cannot be assigned” (emphasis added). This is to say that the data must be altered into an unreadable form. Password protection does not alter the condition of the data as required, and therefore would not satisfy the encryption standard.As a further note, you should be aware that there are numerous ways of getting around password-protection for computers' hard drives as well as for files, the technical details of which I won't go into.If you often compress files (i.e., zip them up to make them smaller), the above definition of "transformation of data" seems to apply. However, the definition for "encrypted" under 201 CMR 17.02 is "the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key."Since there is nothing confidential about a compression program--for example, note how different companies provide different programs for unzipping the same file--this cannot be called encryption. Plus, data security experts would definitely disagree that compressing a file is tantamount to encryption. In fact, such an argument is a good way to give them a heart attack. External/Portable hard disks must be encrypted as well(?)Since this is not covered in the FAQ, I'm guessing here. However, when you note that laptops with sensitive information must be encrypted because a) they're portable devices and b) it's technically feasible to do so--well, those are true for external hard drives as well.Encryption software like AlertBoot is used to protect laptops as well as to provide external drive security. Indeed, on a technical level they're the same thing: laptop encryption really means "encrypting the hard disk drive that's inside the laptop, so logic implies that any portable external hard drives with personal information must be secured via the use of data encryption, and there can't be exceptions to this (just like with laptops). There are more things to do in order to be compliant with 201 CMR 17.00, including the use of locking file cabinets for papers that have sensitive information printed on them, and securing your office's wireless internet connections. E-mails may require encryption as well, not to mention any attachments you're sending in that same electronic missive. I strongly recommend reading the FAQ and the contents of "201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth." If you're a lawyer, you'll be able to make more sense of it than I. And, if you don't mind a plug, AlertBoot encryption software offers AES-128 as well as other encryption equivalents. It's very easy to deploy, centrally managed over the internet, and designed to allow sharing of encrypted disks amongst office computers--or any other group of computers that you want.
Obviously, what I'm about to say is not legal advice--most especially because I'm not a lawyer. However, this should aid you somewhat when looking to company with the Massachusetts regulations regarding personal information protection and encryption software for your laptop computers.
I am an attorney. Do communications with clients already covered by the attorney-client privilege immunize me from complying with 201 CMR 17.00?If you own or license personal information, you must comply with 201 CMR 17.00 regardless of privileged or confidential communications. You must take steps outlined in 201 CMR 17.00 to protect the personal information taking into account your size, scope, resources, and need for security.
I password protect data when storing it on my laptop and when transmitting it wirelessly. Is that enough to satisfy the encryption requirement?No. 201 CMR 17.00 makes clear that encryption must bring about a “transformation of data into a form in which meaning cannot be assigned” (emphasis added). This is to say that the data must be altered into an unreadable form. Password protection does not alter the condition of the data as required, and therefore would not satisfy the encryption standard.
There are more things to do in order to be compliant with 201 CMR 17.00, including the use of locking file cabinets for papers that have sensitive information printed on them, and securing your office's wireless internet connections. E-mails may require encryption as well, not to mention any attachments you're sending in that same electronic missive.
I strongly recommend reading the FAQ and the contents of "201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth." If you're a lawyer, you'll be able to make more sense of it than I.
And, if you don't mind a plug, AlertBoot encryption software offers AES-128 as well as other encryption equivalents. It's very easy to deploy, centrally managed over the internet, and designed to allow sharing of encrypted disks amongst office computers--or any other group of computers that you want.