Here’s a sobering prediction: One-third of all adults in the United States will have their personal identity information compromised or lost this year by a company that electronically stores the data, according to figures supported by the Privacy Rights Clearinghouse. Whether or not that number is perfectly accurate, the list of publicly known data breaches is staggering nonetheless.

Who is to blame? Hackers and careless employees, to be sure. But increasingly, culpability also falls squarely on companies that fail to encrypt confidential data. Ultimately it is the company that must shoulder the burden of far-reaching consequences. Failing to protect confidential data is not only a threat to customers and damaging to corporate reputation -- in some cases it’s illegal. Sixteen of the 20 existing U.S. state privacy laws require encryption to protect confidential consumer data, according to Warren Smith, vice president of marketing at GuardianEdge Technologies, whose products were recently purchased by the U.S. Department of Veterans Affairs.

Unfortunately, operating system and application vendors haven’t made it easy or seamless to create a comprehensive encryption strategy. Existing laws and guidelines often conflict with one another or fail to provide prescriptive guidance. Nonetheless, all companies in the business of storing sensitive data should implement encryption policies anchored to a comprehensive encryption strategy.

“In order for encryption to be used consistently, it has to be implemented by default and be as transparent as possible,” says Stephen Roll, product manager at Iron Mountain, a data protection company. “For example, when we back up data over the Internet, the encryption is done prior to the transmission. It’s protected while being transmitted and is already encrypted with 128-bit AES before it hits the storage media.”

No room for compromise

Any data that can be used to identify an individual, group, company, or entity should be protected against unauthorized access during creation, transmission, operations, and storage. Confidential information is especially at risk during transmission across untrusted networks, such as the Internet, and when stored on portable computing devices: laptops, data backups, USB flash memory drives, PDAs, and other small form-factor computer equipment.

A comprehensive encryption strategy must consider all the ways the data can be input and output, as well as how it’s stored. Hackers increasingly favor client-side attacks. They’ll get a trusted employee to unknowingly install a Trojan or key logger, which they then use to access the data. Certain malware can also gain access to data as it traverses the network. The data may be compromised while it is stored online or physically archived. An end-to-end strategy even must enforce protections for data sent to business partners and third parties.

Even a minimalist approach requires that the following areas be encrypted: wired and wireless network transmissions, hard drives, floppy disks, CD-ROMs, DVDs, backup media (tape, WORM drives, and so on), e-mail, IM, peer-to-peer technologies, PDAs, databases, USB keys, passwords, and active memory areas.

Building your strategy

Creating an encryption strategy requires significant review and effort. It’s best to approach this as a major project, involving key members of operations, management, and IT. Start by bringing together key data stakeholders and explain the mission. As a group you must identify applicable regulations, laws, guidelines, and external influences that will have an impact on your purchasing and implementation decisions. From there, you can move on to identifying high-risk areas, such as laptops, wireless networks, and data backups.

Encryption is useless if an attacker can access confidential data directly and skip the burden of having to defeat any cryptography. So, a successful strategy defines strong access-control techniques, using adequate combinations of file permissions, passwords, and two-factor authentication. Access controls must be audited on a regular basis to ensure their validity.