Notifying individuals that their personal data has been compromised is probably one of the toughest tasks an organization will ever face. It’s never easy to break this kind of news.

Four years have passed since the enactment of Senate Bill 1386, California Security Breach Information Act, which requires organizations that maintain personal data about individuals to inform them if the security of that information is compromised. The object of the legislation was to help stem the rising tide of identity theft. With the passage of this act, California joined 34 other states that have similar legislation. There’s no federal law in place—yet—but it seems like it’s only a matter of time.

The ChoicePoint incident of 2005, in which criminals stole personal information on more than 145,000 consumers from the large data aggregation firm, ended up costing the company $15 million to $10 million in fines and $5 million to individuals who were the victims of identity theft. ChoicePoint initially only notified its California customers, as required by law, but the media and public forced its hand, and it eventually informed all affected customers. This example illustrates how external pressures often lead to full disclosure of a major breach even in the absence of federal law.

Since 2003, when Senate Bill 1386 went into effect, there’s been a 50 percent increase in data breaches. [Source: Computer World, August 20, 2007] New security vulnerabilities, more sophisticated threats engineered by smart cyber crime rings, and just plain carelessness have all contributed to the rise of identity theft and data loss. According to The Privacy Rights Clearing House, more than 158 million data records of U.S. residents have been exposed as a result of security breaches since January 2005. A Gartner survey reveals that approximately 15 million Americans were victims of identity-theft related fraud in the 12 months ending in the middle of 2006. And breaches have occurred in virtually every sector—retail, insurance, healthcare, education, and financial institutions. A quick look at the chronology of breaches on the Privacy Rights Clearinghouse website bears this out. (See: http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP)

What can companies do to provide adequate protection for personal data and avoid having to disclose breaches that may harm their reputation and alarm their customers?

Two legal cases shed some light on how cases like these are handled. Guinn v. Brazos Higher Education Service Corp. and Forbes v. Wells Fargo Bank both involved rulings that the Gramm Leach Bliley Act (GLBA), which includes provisions to protect consumers’ personal financial information held by financial institutions, does not impose a duty to encrypt personal information. But the rulemaking body for GLBA compliance is the Federal Trade Commission (FTC), and the FTC has stated in several settlements that failure to encrypt data is evidence that a company was not taking reasonable security measures.

No matter what the legalities may be, the moral of the story seems to be that investing in strong encryption technology is advisable if you’re dealing with precious personal data in any way, shape, or form. If your company were ever to get involved in a lawsuit over a breach, you’d want to make sure that you could confirm that the information was encrypted. To obtain legal safe harbor from disclosing a data loss incident, you also need to be able to prove that the protection was actually in place when the data was lost or stolen. According to the Federal Trade Commission, encryption is a reasonable measure companies should take to protect personal data. The failure to do so can result in serious consequences. The FTC has charged companies with failing to adequately protect information and has imposed consent decrees and stiff fines.

With the acquisition of SafeBoot this month, McAfee rounds out its data protection offerings with powerful encryption and strong access control technologies that protect data, devices and networks against the risks associated with loss, theft, and unauthorized access. SafeBoot technology takes a comprehensive approach to encryption. It encrypts individual files and folders as well as the entire local hard drive for a wide range of mobile devices— laptops, smartphones, USB drives, and PDAs. It also provides the capability to encrypt file servers and secures confidential files as they move throughout an organization. From a central management platform, all data is protected: data at rest, data in use, and data in motion.

Cost effective and easy to integrate into existing enterprise systems, encryption is a reasonable measure everyone should consider adding to their security risk management strategy sooner rather than later.