In the U.S., the state government in Massachusetts requires companies to report when they've lost sensitive information for their employees, customers or other key constituencies. This week, for the first time, Massachusetts reported back as to what companies have been saying.
According to a Boston Globe story, almost half of Massachusetts residents have had their personal information, such as social security and credit card numbers, compromised.
According to the story, Massachusetts companies are further required to encrypt data that is placed on portable devices, but most lost or stolen devices are not encrypted.
The story reads: "Of the 365 devices reported lost or stolen over the past four years, only 13 were encrypted, the state said."
The state laws are right to require encryption, since if data is encrypted the right way (with proper management of encryption keys), it is really the only fail safe method for protecting sensitive information. The Massachusetts report will correctly spotlight the need for encryption and encryption key management in a wider number of businesses and industries.
Encryption may have a reputation for being challenging to deploy but the bulk encryption of storage data has become considerably easier. The arrival of embedded, self-encryption capabilities in backup tape drives, and disk drives and arrays, and SAN switches from a host of storage vendors coupled with new key management standards (such as KMIP) means that there is really no excuse for not encrypting stored sensitive data.
With increasing pressure from various regulatory bodies-- and laws such as those in Massachusetts-- more and more companies will adopt encryption as a basic best practice.