A document that recently landed on my cluttered desk restores my faith in mankind – well, at least in mankind's ability to properly manage its email – and if so only in Minnesota. Regular readers of this blog (both of you) may remember that I have a tendency to rail against state agencies that either recommend or require people to use email to submit sensitive documents, while providing no encryption method for that transmission. Specifically, I have mentioned by name the state of South Carolina and the New York Workers' Comp Board.
The document, printed from the State of Minnesota's website, tells me that we have found one state agency that gets it, and is moving in the right direction. The Minnesota Department of Labor and Industry uses the state's encryption system for email. Users getting email from MN DLI have to set up an account with the Microsoft Exchange Hosted Encryption Service in order to be able to “unlock” and read the message. Users only need to register once, and just be able to remember a password when prompted after that. Any reply to that email will automatically be encrypted for the return trip. It is not a perfect system, and theoretically someone who intercepts a secure email might be able to register to read it – I don't know. But they would have no clue what was in there until they did, and “packet sniffers” (used to scan electronic transmissions) would have no way of selecting those emails with potentially sensitive information.
Most people do not realize how unsafe email can be. It is NOT a means for the transmission of sensitive or personal data; at least not in an unencrypted form. Frankly, I would prefer a secure web based portal for the uploading of documents to the state, but in the absence of that, Minnesota's efforts go a long way to solving the security issue some states face.
The Minnesota website makes no mention of unsolicited or original emails sent to them. As far as I can tell, they do not have a method to force encryption on those types of emails. As long as the state is not setting up a system asking people to send documents that way, I don't see a problem.
As I said, it's not perfect, and a bit cumbersome, but it is a great start. It's official. This week I love Minnesota.