You've probably heard about situations in which a mobile computer is lost or stolen, with the Personally Identifiable Information (PII) of thousands, perhaps millions, of people just like you and me. In the wrong hands, names, addresses, Social Security numbers, and other sensitive information can leave people in a financial quagmire for years to come. This isn't some far‐fetched fantasy, but (unfortunately) an event that occurs all too frequently. Finally, organizations are beginning to realize that they must to do something about breaches like this. Perhaps they feel some sense of moral obligation to protect sensitive data entrusted to them. However, for many more organizations, their recent willingness to spend a bunch of time and money to protect this data has far less to do with any sense of moral obligation and more to do with legislation.

Currently, more than three‐dozen states have some sort of data breach legislation that requires notification if certain types of data are compromised. The standard for such protection at this point is that the data must be encrypted. After several high‐profile data breaches left millions scrambling to protect themselves from identity theft and other crimes of fraud, more states are certain to follow through with their own data breach ...