Regulatory compliance has moved up as the primary driver for encryption in the United States, according to a Ponemon Institute-Symantec report, moving ahead of data breach mitigation. The fifth annual U.S. Enterprise Encryption Trends report also reported a rise in the number of organizations that have experienced more than five breaches.
In the 2010 study of 964 U.S.-based IT managers and executives, 69 percent of the respondents cited compliance as a primary driver for adopting encryption, up five points over 2009. Mitigating data breaches, the previous leading driver, was cited a primary reason by 63 percent of the respondents, a drop of 4 percentage points over the previous year.
"The issue of compliance has become more important to practitioners," said Larry Ponemon, chairman and founder. "We don't know if it's a blip with HITECH and the HIPAA expansion to business associates, PCI DSS, or various state laws such as Massachusetts, but it seems to be more important, especially around mobile devices, such as laptops." PCI has shown the most dramatic increase as a reason for encryption over the years, rising from 15 percent in 2007 to 69 percent.
Most of the respondents - 88 percent - said their organizations had experienced at least one data breach, but only one category--those that reported more than five breaches--increased, up 3 percent to 25 percent.
The most dramatic change over last year's survey was the importance of encryption as part of the organization's risk management program. While most changes in responses year to year were measured in a few percentage points, nearly three-quarters of those surveyed said that data protection was a "very important" in their risk management program, a 12 percent jump.