It was a difficult problem choosing which product we would select for our whole disk encryption solution. The problem is more complex that it appears on the surface because it is a fairly new sector of the software market and there are many players. We were basing a lot of the requirements on the California Disclosure law SB1386. This is the law which states that customers must be notified if any personal information is stolen or lost. The law describes personal information as the following:ÃÂFor purposes of this section, "personal information" means an individual's first name or first initial and last name in combinationwith any one or more of the following data elements, when either thename or the data elements are not encryptedÃÂ(SB1386)This description of personal information is very broad. It does not require bank account numbers, or social security numbers, but only basic identity information. For us, the question which was the white elephant in the room was; what are the requirements of to classify as encryption? There are many different types of encryption, and many different levels of security.
The Microsoft Windows XP operating system has encryption functions built in, but all of us were aware of the limitations of that. The Microsoft option would be free, because we already own it and it would classify as encryption, but none of the committee was comfortable trusting the security of this software.
We know that these laws will evolve, and we needed to be sure that the choice we made would be for the long haul. If we did not choose wisely we could find ourselves owning a product that has no upgrade path. In that situation we would be faced with needing to unencrypt and remove the outdated product, and installing the new product. If this happened we...