The San Jose Medical Group last week notified about 185,000 people that they are at risk for identity theft after burglars stole two Dell computers from the group's administrative offices March 28. The computers contained patient names, confidential medical information, and Social Security numbers. (See SC Magazine report here).
Warren Smith, a vice president at encryption software supplier PC Guardian, noted that the California law requiring organizations to notify California residents of security breaches affecting them only applies to incidents involving unencrypted data.
Other regulations such as Sarbanes-Oxley also lead companies to encryption, Smith said.
"We believe over time - there is no case law yet - but when there is, it will establish encryption as the common denominator and the safe harbor for organizations," Smith said.
However, a proposal for a national security breach notification law by Sen. Dianne Feinstein would apply to incidents involving both encrypted and unencrypted data.
Encryption is the obvious solution to averting disasters such as Bank of America's loss of computer tapes containing government charge card information on 1.2 million federal workers, Ray Everett-Church, principal at consulting firm PrivacyClue, said earlier this year.
"Encrypted files are not going to be easily read by your average identity thieves," he said.
However, encryption costs money, Everett-Church said: "The cost to encrypt a database can be quite substantial. It requires additional computers and ways of authentication."
John Pironti, enterprise solutions architect at Unisys, said protecting information sometimes requires disabling a business practice, which an organization will balk at.
"As soon as you tell an organzation that you have to start encrypting things or reducing access, the case is made that 'this is part of our business. We can't do that, we won't be able to draw revenue'," he said.