This is particularly pertinent when it comes to deciding whether to encrypt data. No law currently requires companies to encrypt data, but it is an effective way to protect data, and the FTC has fined companies for privacy breaches. So what to do? Pedro says a best practice has developed in the past year that recommends encryption for data that may leave the organization (data on laptops, PDAs and in e-mail) while leaving data that remains in-house (on, say, a mainframe) unencrypted.

Again, you will want to document why your organization believes that this is an appropriate practice. “If you can show that you have read the pertinent regulations, and show that this is your interpretation of what the regulation says, and you can show intent to protect the data, you are more protected than those who haven’t done that,” Pedro says.

Notification: The Risk Analysis
At a 2006 security conference, Protegrity VP Taylor ate lunch next to the CISO of a large metropolitan university. The CISO told Taylor that she had received an e-mail from one of her programmers informing her that the school may have experienced a breach that may have exposed students’ personal information. The programmer was unsure if the law required the school to report the incident and asked the CISO for guidance.

Taylor asked her what she did. She said she wrote back to the programmer telling him not to do anything.

Taylor told the CISO that the university should have reported the breach. The CISO disagreed, saying, essentially, that because very few people review system log files and because only one or two people at the university understood the systems and the data in them, it was probable that the breach would go unremarked and undiscovered. “I was thinking, Wow,” Taylor recalls. “That’s a risky chance to take.”

According to Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker, state security breach notification laws are among the most frequently ignored types of security regulation. About 35 states have passed security breach notification laws, which lay out, to varying degrees, when an enterprise needs to notify customers and clients if their private information may have been exposed to an unauthorized user. According to CIO and PricewaterhouseCoopers’ “The Global State of Information Security 2006” survey, 32 percent of U.S. organizations admit to not being compliant with state privacy regulations.

There are two possible explanations for why the noncompliance rate is so high. First, the risk of being caught is low because it has been extremely difficult to tie a specific instance of fraud to a specific breach at a specific company, says Jim Lewis, a security expert at the Center for Strategic and International Studies in Washington, D.C. (Recent lawsuits filed against TJX­—owner of discount retailers TJ Maxx, Marshalls and other stores—which claim credit card numbers stolen during a security breach in 2005 and 2006 led to specific instances of fraud, may indicate that this fact of security life is changing. For more on the TJX breach, see Financial Penalties for Security Breaches Will Promote Change.)