This past Tuesday, we held a webcast on the new Massachusetts Data Protection Law, a.k.a. 201 CMR 17. Here's a link to the replay [reg. required]. I ran out of time to answer all of the questions, but there were so many good ones so I decided it was worth writing a post to answer them.
Q: If you use a workgroup version of PGP Whole Disk Encryption can you still get reports on compliance or do you need the Universal Server to prove compliance?
A: Yes, PGP Whole Disk Encryption Workgroup Edition does provide basic reporting that you can use to demonstrate compliance.
Q: What is the impact of computer speed when the entire disk in encrypted?
A: We generally see negligible impact on performance once the initial encryption has taken place.
Q: How does encrypting the BES server affect data on the hand held devices?
A: PGP Support Package for BlackBerry does not encrypt the BES server. Rather, it turns on and manages email encryption on the BlackBerry devices themselves. Email passes through the BES server in an encrypted state, and is decrypted at the receiver's end, either on another BlackBerry or using PGP Desktop Email or PGP Gateway email. Here's a more detailed description.
Q: What is the best way to encrypt email for a company with no server / no budget for server?
A: There are a few solutions. You can purchase copies of PGP Desktop Email for individuals. These do not require a server, but generally this is for small groups. Alternately, you could work with a PGP Partner that provides a hosted version of secure email.
Q: If you are using PGP email encryption and the recipient isn’t, what is the process?
A: You may want to take a look at PGP PDF Messenger, which provides clientless email encryption for secure email communications with large groups of customers and partners.
Q: What about email encryption, if the recipient doesn't have a PGP key or product?
A: See above answer.
Q: How to you protect email for 1/2 dozen users and not have to encrypt for the entire corporate 200 email users?
A: Two options: a) buy a small number of PGP Desktop Email only for those users, or b) purchase PGP Universal Gateway email and configure to act on behaf of those six users.
Q: What PGP product should be used for encrypting a folder on an FTP Server that is located in a DMZ?
A: Most likely you would want to use PGP Command Line, but there may also be configurations where PGP NetShare could make sense.
Q: My small business has 5 employees, how small can your solutions go and how cost effective. Can you provide some ballpark costs based on the different solutions.
A: Please check out the PGP Store, where you can see actual prices for small quantities.
Q: Is it possible to demo PGP software?
A: You can register for an eval version here.
Q: Are password protected PDF files considered encrypted?
A: Here's a good overview of how encryption and passwords work in PDF docs.
Q: For email encryption, do you require that recipients have certificates, and if so how do you get recipients to start using them?
A: The recipient does n0t need certificates necessarily and may just need a PGP key. This is typically done during installation.
Q: What if someone with a foreign USB key tries to enter a PC? How is that handled?
A: With PGP Endpoint Device Control, you can configure a list of authorized devices - a white list - and all other devices are denied by default.
Q: Can your PGP encryption software, when installed on a USB drive, restrict the user from copying the data, and only displaying it?
A: Yes, you can restrict the copying of data using PGP Endpoint Device Control.
Q: Are there any plans to extend the 128GB limitation for PGP Portable so it can be used on larger USB drives?
A: I thought my 4GB USB was cool, but capacities are increasing all the time. We are considering increasing the capacity. We would like to hear from others that think 256GB support is needed. Q: How to share encrypted data with end users that do not have PGP software installed on their workstation?
A: This is exactly what PGP Portable was designed to do.
Q: When a BlackBerry user receives an email message that has an encrypted attachment, is the encrypted attachment kept on the BES server when the user decrypts it in order to read it? Or is it sent directly to the user's BlackBerry and decrypted there?
A: The attachment is decrypted on the BlackBerry device. Q: Does personal information need to be encrypted on the server or in databases? A: This is an excellent question. As relates to encryption, the Massachusetts law requires:
Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; and
Encryption of all personal information stored on laptops or other portable devices;
For information that can be "accessed via the Internet" the regulation requires "there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information." So, at a simple level, the law is aimed at encrypting data that will be transmitted or transported. Depending on how the data in files on your server and in your databases is used, you may need to or want to encrypt. Best to get together with your IT, security and legal folks to walk through your use cases.
Q: The device examples you presented for encrypting were targeted at the endpoints. How about data center server disk storage and backup tapes. Is the Massachusetts law requiring encryption of the backup tapes that leave data center for off-site vault storage?
A: See above answer.
Q: How can a Massachusetts law be enforced outside of Massachusetts?
A: This is more of a legal question than a technical question. First, let me reiterate that the regulation applies to "all persons that own or license personal information about a resident of the Commonwealth." So, a common example is that you are doing business in Massachusetts, even if your headquarters is somewhere else. Most states require a business to sign a "Consent to Service of Process" when a company applies for a business license with that state. As an example, the form Statement and Designation by Foreign Corporation - Stock. On the last page of the form, last paragraph, the business owner agrees to the jurisdiction of California. I'm sure your legal counsel could elaborate on your specific circumstances.
Q: How can this regulation be applied for existing personal information on "Paper"?
A: There's a whole section on paper records.