Yet again, data breaches are in the spotlight. The Information Commissioner’s Office (ICO) made its first round of data breach fines last week, effectively giving the Data Protection Act (DPA) “teeth.” The ICO showed that its bite lives up to its bark, penalizing a local council and an employment services firm to the tune of a combined £160,000.

But, future fines are largely avoidable, if organisations adhere to security best practice. For a data breach to attract financial penalty, the ICO must be satisfied that a serious breach is likely to cause “damage or distress” and that it was either “deliberate” or “negligent” and that the organisation “failed to take reasonable steps to prevent it.”

Information has become the lifeblood of organisations and it must be managed properly. To avoid further data breach fines, organisations need clear guidelines in place to determine how sensitive information is used.

Recently, the Ponemon Institute completed the 2010 Annual Study: U.S. Enterprise Encryption Trends. This was the fifth year for the annual study on encryption usage and the results indicate a distinct shift in what’s driving companies to implement encryption technologies.

In past years, data breach mitigation has consistently been the top driver of encryption adoption—organizations were buying encryption in response to a breach issue. But, for the first time regulatory compliance has surpassed data breach mitigation as the top reason why organizations deploy encryption technologies.

And, there’s no shortage of industry data protection and privacy regulations to comply with. There’s a veritable alphabet soup of regulations—HIPAA, PCI, HITECH—plus more data protection legislation at the state level. The impact of all these regulations is reflected in our research.

Organizations are getting ahead of the curve with their encryption strategy before the breach occurs, not after. They want to prevent exposure and make sure data is safe; and they’re allocating the funds to do so.

It’s been a busy couple weeks since the release of the PCI DSS version 2.0, as organizations and assessors alike pour over the documentation and begin planning. Nowhere is this more evident than in the discussions I’m already having with clients. I’d like to talk about some of the questions and feedback I’m hearing, as well as some more of the changes you may want to consider in planning.

There are 132 changes to the PCI DSS: 115 clarifications, 15 items of additional guidance, and two evolving requirements. As I mentioned in my last post, this may seem daunting. However, while there may be items in the clarifications that do present opportunities or challenges, many of the clarifications will have minimal impact on what compliant organizations have been doing previously.

Note: This post has been updated on Jan. 7, 2011

Symantec has identified a potential issue with the Mac OS X 10.6.6 upgrade process and PGP Whole Disk Encryption. Until this issue is resolved, we strongly recommend that customers using PGP Whole Disk Encryption do not upgrade to Mac OS X 10.6.6. Customers that have already successfully upgraded should take no action.

If the update to OS X 10.6.6 has already been made and the machine fails to boot, the data on the machine is not lost. The system can be restored using the PGP Recovery CD. Instructions can be found in this Knowledgebase Article.

This issue has the highest internal priority at Symantec, and we’re working on a maintenance release that will proactively address this issue. We will update our customers with the resolution information as soon as it becomes available.

_________________________________________________________________________________