The Evolution of Data Encryption Regulations

July 9, 2009 by ADMIN

Share |

Mark Wright, Principal Systems Consultant, Sybase iAnywhere

Do any of your businesses operate in the state of Massachusetts? How about their agents or representatives?

A new law being put into effect requires data to be encrypted while in transit as well as when that data resides on any device.

There are similar laws all over the country that require you do your “due diligence” as a company to protect data, but this is the first law from a state’s standpoint that requires that all personal information about residents that is stored or transmitted be protected by end-to-end-encryption.

The Massachusetts law known as Standards for the Protection of Personal Information of Residents of the Commonwealth, is due in part because of the many lawsuits that have enveloped companies and governments stemming from stolen devices and lost information.

The state is taking these measures to protect itself and companies that reside within Massachusetts. In most cases, once these regulations are put into place it is likely there will be many others to follow.

One example is a California Senate Bill that in turn prompted several other states to create regulations that require the increased protection of sensitive consumer data.

Massachusetts was the 39th state to implement a Data Breach Law, and Nevada has a similar law that calls for the “personal information” of a customer to always be encrypted.

Many of these regulations leave a lot to interpretation as to whether or not someone put the appropriate measures in place to protect personal information.

Massachusetts is taking data encryption regulation to the next level by actually defining what is meant by “encryption”, and this definition includes all data that is in transition, in storage, and on portable devices.

Portable devices can be laptops, iPods, Mobile Devices (Windows Mobile, Symbian, BlackBerry), and iPhone devices. Even portable thumb drives are considered portable devices under this law.

Businesses must comply by January 1, 2010.

Learn More about Sybase Products

A lot of companies are scrambling to put a solution in place even though they are not based in Massachusetts, simply because they may have some presence there and could be held responsible for the mis-handling of data according to this regulation.

For instance, an insurance company might not be headquartered in particular state, but they may have agents there in which their portable devices will hold personal information about residents.

The insurance company will ultimately be responsible for encrypting the data on that device. They will also be responsible for ensuring the encryption of any data that is transmitted from that device to any location.

What does this mean for your company? Not a lot right now if you don’t do any business in Massachusetts. But if you do, then you need to have a solution in place.

Even if you don’t do business there, you must determine how long it may be until this type of regulation is passed in other states or countries in which you do business.

Will the laws that are put in place already be modified to define what encryption is, similar to what Massachusetts is doing? Are you ready for that?

There are a lot of studies that have been done regarding the costs associated with lost or stolen data, and the numbers are staggering.

What can a company do to address these data breach laws?

Sybase Mobility has several approaches to help address encryption enforcement:

Sybase iAnywhere’s Afaria product protects the portable laptop with Full Disk Encryption and thumb drive encryption. Afaria also provides encryption for Windows Mobile, Palm and Symbian devices.

With Mobile Office a company can provide the needed encryption for business data in their E-mail and PIM information by providing an encrypted sandbox on the iPhone, also allowing for business processes to move through the sandbox in a secure manner.

SQL Anywhere and SUP will provide secure data encryption on the mobile database so that the insurance applications or similar applications have their data protected within the application itself.

Don’t wait to enable a solution that will help you position your business for these types of laws.

Put a solution in place early so that your business is prepared when these new laws take effect and in the unfortunate event that sensitive data is lost or stolen.

Mark works for Sybase as a systems consultant. He is an expert in mobile device management, mobile security and mobile application enablement. Mark acts as an evangelist for mobile device management and security, and is an expert in Afaria components including Security Manager, Session Manager and the Relay Server as well as integrating Afaria into the Sybase Unwired Platform.

Sybase iAnywhere, a subsidiary of Sybase, Inc. (NYSE:SY), enables success at the front lines of business. The company holds worldwide market leadership positions in mobile and embedded databases, mobile management and security, mobile email, mobile middleware and synchronization, and Bluetooth® and infrared protocol technologies. Sybase iAnywhere plays an important role in the Sybase Unwired Enterprise strategy, which focuses on managing and mobilizing information from the data center to the point of action. Tens of millions of mobile devices and over 20,000 customers and partners rely on the company’s “Always Available” technologies, including Sybase Unwired Platform, SQL Anywhere, Afaria and iAnywhere Mobile Office.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.