A laptop can be lost at the airport, stolen from a parked car, or taken while the user is away from his/her desk. Even desktop computers are susceptible to theft. Although hardware can be easily replaced, the loss of customer privacy and exposure of proprietary information is not as easily repaired. In fact, the hardware replacement value of a lost or stolen computer is dwarfed by the resulting expenses and lost revenue an organization may experience due to the breach. The consequences of losing confidential, customer data are significant both in terms of dollars lost and the ability to run your business include:

1. Lost business – Following a security breach, businesses experience higher rates of customer turnover and lower new customer acquisition.
2. Notification – Businesses contacted affected customers (in many cases, required by law) to notify them of the breach.
3. Detection & escalation – The identification, investigation, and auditing of a breach are some of the first steps organizations take immediately after a breach.
4. Legal – A variety of interested or affected parties including government prosecutors or agencies, shareholders, and affected individuals may seek criminal or civil action in the courts.
5. Regulatory – An organization may be compelled by law or corporate governance to take actions, including remediation, paying fines, or discontinuing services.
6. Remediation – An organization may be compelled to or voluntarily take corrective actions, including fixing the breach vulnerability, notifying and supporting affected individuals or organizations, and mounting a public relations campaign.
7. Brand equity – Other consequences may have long-term implications on brand equity. Brand damage may subsequently lead to a reduction in pricing power, diminished marketing effectiveness, and other competitive disadvantages, for example.

Action Steps
The best contacts and resources to help you get it done

Identify Easiest Hard Disk Encryption Options

While there are a number of product options, there are one or two that are most likely to be right for you. The products in this category cover a wide range of prices and features -- all are standalone software packages -- independent from the underlying operating system (OS).

I recommend: SC magazine, just completed an excellent overview of Hard Drive Encryption, including product reviews.

Understand the Risk to Your Business

Each industry and business is subject to different risks. Studies have shown that the cost per lost record can vary from $50-2500.

I recommend: Reading the excellent Ponemon study "2006 Annual Study: Cost of a Data Breach"

Learn the Laws and Regulations Governing Your Business

These are the regulations that influence the need for encryption:• California Senate Bill 1386 – California's Database Security Breach Notification Act. As of November 2006, 31 states had enacted similar laws modeled after SB 1386. • Gramm-Leach-Bliley Act – also known as the Financial Services Modernization Act, was passed by Congress in November 1999 to help the financial services industry respond to new developments in technology, global competition, and the changing demand for financial services. • Health Insurance Portability & Accountability Act – (HIPAA) requires the (HHS) to ensure standardization of electronic patient data, assign unique health identifiers to patients and others, and implement security standards to protect the confidentiality and integrity of all “individually identifiable health information.”

I recommend: Reading overviews of these laws.  Either at their home sites or a summary included in the PGP White Paper 'Full Disk Encryption Buyer's Guide.'  Wikipedia provides a good summary of Gramm-Leach-Billey.  HHS provides a good overview on Security Standards Technical Safeguards [PDF, 238KB]. Or read the SB 1386 Compliance Management Toolkit

Tips & Tactics

Helpful advice for making the most of this Guide

• •  Organizations considering hard drive encryption should evaluate solutions based on four requirements:1. End-user productivity – The solution should remain transparent at all times and not interfere with end-user productivity.
• •  2. Enhanced data security – Beyond full disk encryption, the solution should provide options for protecting and controlling USB flash drives by policies as wells as files stored on shared systems and files and directory archives shared with others.
• •  3. Centralized management – The solution should allow for central management that enables administrators and help desk staff to easily support remote users.
• •  4. Business continuity – Encrypted data needs be accessible (according to policy) not only today, but for years to come