Above all, make sure that adding encryption does not add passwords for users to remember, says John Pironti, chief information risk strategist for IT services consultancy Getronic. You don't want users writing them down and taping them to their laptops. As he notes, "If someone gets the password, the encryption is meaningless." That's another reason why California's Quinlan ensured that the encryption software worked with the agency's existing single-sign-on technology. NIST's Szykman uses the same approach.

The PDA Time Bomb

What's even more likely to get lost than a laptop? The increasing storage power of handheld PCs makes them a ticking time bomb, warns Getronic's Pironti. They tend to be used by executives who work with the enterprise's most critical and valuable data, and "these guys lose these things all the time," he says. The problem for CIOs: Encryption software available for handhelds is not as effective as it needs to be, says Cryptography Research's Kocher, due to their relatively limited computing capabilities.

The only consolation, Kocher says, is that handhelds don't store much data. That will be a bigger problem in the future. Meanwhile, IT should enforce password access to the devices.

Although vendors promote remote-kill capabilities to wipe a stolen or lost handheld's data, this leaves a huge gap; Pironti notes that the devices are vulnerable before reported lost or stolen.

Citing the unsatisfactory security situation, NIST is considering standardization on Research in Motion's BlackBerry devices, which have built-in data encryption capabilities, says Szykman. He'd prefer to be able to allow the device diversity that his users would like to have, and will continue to explore encryption solutions available for other vendors' offerings, he says, but one option that may emerge is not supporting other PDA platforms.

Facilities service provider Aramark has standardized on the BlackBerry due to security concerns, says CIO of Aramark's global food and facility services businesses David Kaufman. A big BlackBerry advantage: "It has a consistent security model across all devices and networks," he says, so the tools are quite reliable. That wasn't the case for other handhelds he tested.

Insurance Will Cost

Ultimately when you encrypt data, you're buying an insurance policy, which has several costs. The obvious cost is the up-front deployment spending, including software licenses, installation, integration and often upgraded hardware. For example, NIST's Szykman had to replace a few laptops because their hard drives were too small and their CPUs too slow to handle the added demands of encryption. Then there's the several hours necessary to encrypt each drive the first time, which can disrupt user productivity.