"If it's encrypted and it's stolen, you don't have to report it," says Cherie Mitchell, COO and principal at LuciData, referring to state privacy laws that require companies to disclose the theft or loss of unprotected notebook computers that may contain sensitive, personally identifiable information that could be linked to a specific individual. Due in part to disclosure laws, LuciData, an internal management and computer forensics consulting firm, adopted whole disk encryption, aka full disk encryption, which encrypts every bit of information contained on a company's hard drives.
There are two types of full disk encryption: It's either in hardware form offered by computer drive companies, notably Seagate, or it's sold as an option by notebook computer companies. Lenovo, for example, offers Seagate's full disk encryption as a $25 to $30 premium option, says Stacy Cannady, director of client services at Lenovo. One downside with drive-level encryption is that it's hard to manage, Cannady says. That's why there's an entire category of stand-alone whole disk encryption software emerging. Among the options in this segment are Check Point Full Disk Encryption, Encryption Plus Hard Disk from GuardianEdge, McAfee Endpoint Encryption, PGP Whole Disk Encryption and SafeGuard Easy from Utimaco Safeware. Symantec's strategy is an OEM deal with GuardianEdge. Pricing for these packages ranges from about $100 per seat to about $250. The enterprise and ultimate editions of Windows Vista also include a full disk encryption feature called BitLocker.
There is one large caveat about whole disk encryption: If your hard drive fails, there's virtually no way to recover the data. "You need to be really clear on the backup policy for an encrypted drive," Cannady says.
Also bear in mind the work needed to access encrypted data if your company needs to produce it as part of a lawsuit or regulatory request. Mitchell's company chose Utimaco's software because it works with most forensics tools used today. And make sure you're in control of the password policy for your employees so that if someone leaves, data can still be recovered, Cannady adds. Before investing in a particular product, make sure you understand your individual compliance or regulatory issues.
For Chris Shaw, 37, the impetus to invest in encryption technology for his laptop about two years ago was pretty simple. His $2 million technical personnel recruiting firm, S4 Partners Inc. in El Granada, California, deals with highly sensitive personal information. So Shaw chose file-level protection technology from Voltage Security instead of protecting his whole disk.
"A mentor once told me, 'Never let one consultant or one transaction take down your business.' All it would take is one Social Security number or one piece of salary information getting out to ruin me," says Shaw. "Encryption eliminates that possibility. Plus, it makes both my consultants and my clients feel better about me."