Basically this law will model much of the California law that started the whole mess, sending an initial round of companies scrambling to encrypt their data. Encryption is the best way to avoid going through the public disclosures that have made headlines over the past few years. The net of the state and federal laws is to make sure that sensitive customer information is protected when it leaves your data center.
So what do you do? Either make sure nothing leaves your extended firewall, or if it does, encrypt it. Options are available for both strategies. In the data deduplication tech center, I have been listing the replication capabilities for the various dedupe vendors. Deduplication makes electronic vaulting viable for many organizations. It may be enough to keep you inline with these new mandates. For many larger organizations, dedupe alone is not going to be enough. There is simply too much data that has to be kept too long. As we discuss in our article Archiving Basics, disk-based archives are a viable augmentation to your backup strategy, and most can encrypt data either prior to being replicated to a remote site or as it lands at a remote site. Even if the archive is stolen, you are protected.
If you are going to move data to tape, you are going to need some sort of encryption capabilities. Some of the tape manufacturers have encryption built into the drives, and some of the tape library manufacturers have the capability built into the library, though some sort of add-on appliance or blade for your SAN backbone will be required. These appliances or blades also have the advantage of encrypting primary disk storage as well as tape. Encryption of primary storage, as I have written about in the past, becomes important when you look to dispose of old storage systems.