2005 was a rough year for people worried about the security of their personal information. In compliance with California's law mandating that companies reveal "unauthorized acquisition of \[data\] that compromises the security, confidentiality, or integrity of personal information," major companies--among them Bank of America, CitiFinancial, LexisNexis, and ChoicePoint--sent more than 51 million such notices to their customers.

Not surprisingly, sensing an issue that resonates with the public, Congress has jumped into the data-security fray. A bill called the Data Accountability and Trust Act (DATA) is starting to wind its way through the legislative process. Although many critics in Congress believe that the act doesn't go far enough--some feel that it preempts stronger state laws with a weaker federal standard--nobody is arguing that the proposed data-security law goes too far. The need to improve data security is clearly on the legislative agenda.

But has data security made its way onto the business IT agenda? Not according to a recent study sponsored by GlassHouse Technologies, a provider of independent services that help organizations solve enterprise storage problems. In a survey of more than 300 companies, 54 percent revealed that they hadn't documented procedures for protecting stored data, and a whopping 70 percent of the senior executives who responded rated their companies' data storage security as only fair or poor.

The survey queried executives in 16 industries, including government, telecommunications, technology, energy, financial services, aerospace, and health care, and found that most companies don't yet really understand the source of threats to their data. For example, 61 percent believe that external threats to data are more significant than internal threats, albeit insiders have much more access to sensitive data. Moreover, around 51 percent worry more about protecting their company's intellectual property than protecting their customers' personal information, although the immediate consequences of mishandling customer information can be far greater.

And since executives apparently don't yet fully understand the data-security problem, many organizations haven't yet seriously addressed it. For example, the GlassHouse survey reveals that only 15 percent of respondents encrypt backup data.

But if companies' data-security infrastructures are either ineffective or nonexistent, who will take the lead in responding to the compliance issues those enterprises clearly face? According to Jim Geis, director of storage solutions at Forsythe Technology, a national provider of technology-infrastructure solutions, although storage and network administrators will have to work closely on security issues, eventually security must be integrated into the storage infrastructure. "Information security transcends perimeter security," Geis says.

It won't be easy. Building an effective data-security infrastructure means making complicated decisions about issues such as encryption and access. For instance, how much data should be encrypted? When should it be encrypted? And who manages encryption keys?

These types of decisions have to be made in the context of balancing security concerns with the need for access and availability. Encrypting too much data can impede overall system performance and deny users timely access to data they need. Clearly, effective encryption requires a data-classification program. In terms of security issues, all data is not equal.

However, IT pros can take certain steps immediately to beef up data security. For example, administrators can ensure that old backup tapes are stripped of data before they're sent for recycling. Geis notes that in a recent study, more than 60 percent of old tapes still had unencrypted data on them.

Data security isn't an issue that can be easily solved by throwing more, or more sophisticated, technology at it. In many cases, effective technology isn't yet available. And even when technical data-security solutions exist, exactly where and how they should be implemented isn't yet clear.

In fact, the first step toward building an effective data-security infrastructure is to develop policies governing data access and flows. "Policy is first," Geis says. And the development of policy has to start now because companies face real long-term and significant costs when their data security is breached.