Data encryption for SMBs: It's an issue that bears looking into because of the upcoming compliance requirements with Massachusetts's 201 CMR 17.00 legislation (aka the "data breach laws"). While there are many aspects to cover under 201 CMR 17.00--including the protection of paper documents under lock--perhaps the issue that has raised the most ruckus is the fact that laptop computers have to be protected with encryption. The 201 CMR 17.00 rules have been updated, amended, and changed numerous times over the past year, but one thing that has remained steadfast is the fact that laptop computers that store sensitive, personal information must be encrypted. (If you read the law, it explicitly states that laptops must be encrypted, whereas desktop computers, for example, are not pointed out by name).
Data encryption for SMBs: It's an issue that bears looking into because of the upcoming compliance requirements with Massachusetts's 201 CMR 17.00 legislation (aka the "data breach laws").
While there are many aspects to cover under 201 CMR 17.00--including the protection of paper documents under lock--perhaps the issue that has raised the most ruckus is the fact that laptop computers have to be protected with encryption.
The 201 CMR 17.00 rules have been updated, amended, and changed numerous times over the past year, but one thing that has remained steadfast is the fact that laptop computers that store sensitive, personal information must be encrypted. (If you read the law, it explicitly states that laptops must be encrypted, whereas desktop computers, for example, are not pointed out by name).
Per the latest published revisions in November 2009, any requirements for encryption have been deemed technology neutral: that is, the legislature will not define any specs or standards on what is acceptable encryption. So, what do you use, then? Will any type of encryption work? For an answer, you may have to turn to Federal law. While there is nothing in place for consumer data protection, as of December 2009 a data breach bill has passed in the House of Commons, and is waiting to be voted on by the US Senate. In that bill, the issue of "what type of encryption to use" is resolved by stating that, when selecting encryption, "the method of encryption or such other technology or methodology is generally accepted by experts in the information security field" as being adequate. (Read more on the Federal law on data breaches.) Problem solved. Kind of. Currently, acceptable levels of encryption are AES-128 and equivalent or higher. This will change in time, although it'll probably be good enough for at least a good decade or so, unless there is a significant breakthrough in computing technology.
Per the latest published revisions in November 2009, any requirements for encryption have been deemed technology neutral: that is, the legislature will not define any specs or standards on what is acceptable encryption.
So, what do you use, then? Will any type of encryption work? For an answer, you may have to turn to Federal law. While there is nothing in place for consumer data protection, as of December 2009 a data breach bill has passed in the House of Commons, and is waiting to be voted on by the US Senate.
In that bill, the issue of "what type of encryption to use" is resolved by stating that, when selecting encryption, "the method of encryption or such other technology or methodology is generally accepted by experts in the information security field" as being adequate. (Read more on the Federal law on data breaches.)
Problem solved. Kind of. Currently, acceptable levels of encryption are AES-128 and equivalent or higher. This will change in time, although it'll probably be good enough for at least a good decade or so, unless there is a significant breakthrough in computing technology.
There is the matter of cost to consider, and not the obvious ones an SMB may normally be subjected to. Multiple initial licenses, for example, impede the use of easy-to-use full disk encryption software. A small or medium sized business may only need anywhere from one license to, say, five licenses (one for each computer they use at their business). The problem? Many of the established encryption providers will only go into business with companies that are willing to sign up with a minimum of, say, 25 licenses. What's an SMB going to do with the remaining 20 licenses that it has to pay for, but remain unused? There is the problem of upfront payments as well: There are providers that will claim that it only costs "so many dollars a month." The truth, though, is that in many cases a SMB has to prepay for the entire year. Technically, you are only paying so many dollars a month--but, the cash flow impact is much more dire. For example, if each license is for $100 per computer per year, then at 25 licenses, you'd be facing a one-time charge of $2500! Sure, it's $208.33 per month if you do the calculation. But, the cash flow story is an entirely different thing. (Plug: AlertBoot actually charges month to month, and doesn't have minimum license requirements).
There is the matter of cost to consider, and not the obvious ones an SMB may normally be subjected to.
Multiple initial licenses, for example, impede the use of easy-to-use full disk encryption software. A small or medium sized business may only need anywhere from one license to, say, five licenses (one for each computer they use at their business).
The problem? Many of the established encryption providers will only go into business with companies that are willing to sign up with a minimum of, say, 25 licenses. What's an SMB going to do with the remaining 20 licenses that it has to pay for, but remain unused?
There is the problem of upfront payments as well: There are providers that will claim that it only costs "so many dollars a month." The truth, though, is that in many cases a SMB has to prepay for the entire year. Technically, you are only paying so many dollars a month--but, the cash flow impact is much more dire.
For example, if each license is for $100 per computer per year, then at 25 licenses, you'd be facing a one-time charge of $2500! Sure, it's $208.33 per month if you do the calculation. But, the cash flow story is an entirely different thing. (Plug: AlertBoot actually charges month to month, and doesn't have minimum license requirements).
Also, if you're in a rush to get your laptops encrypted, you may have to wait a bit. With most encryption companies, if not the majority, someone has to do the installation for you, with the exception of a handful of companies. There are probably other issues that SMBs face when getting into the spirit of following the new Massachusetts regulations, but when it comes to laptop encryption, the above should cover the bases, not just in terms of compliance but also from an SMB's business perspective. (If not, or there are other questions, feel free to send us an e-mail at info@alertboot.com)
Also, if you're in a rush to get your laptops encrypted, you may have to wait a bit. With most encryption companies, if not the majority, someone has to do the installation for you, with the exception of a handful of companies.
There are probably other issues that SMBs face when getting into the spirit of following the new Massachusetts regulations, but when it comes to laptop encryption, the above should cover the bases, not just in terms of compliance but also from an SMB's business perspective.
(If not, or there are other questions, feel free to send us an e-mail at info@alertboot.com)
Related Articles and Sites:http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdfhttp://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdfhttp://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h2221eh.txt.pdf