Encryption is driven by compliance requirements and data threats. Senate Bill 1386, which became effective on July 1, 2003, mandated that notification must be made to California residents if there is reasonable cause to suspect the breach of their unencrypted personal information. The operative word is unencrypted. Many companies have moved to encrypt personal information to avoid the hefty costs and reputational damage of breach notification. The Health Information Technology for Economic and Clinical Health Act (HITECH) enacted in 2009 to complement the Health Insurance Portability and Accountability Act (HIPAA) has encryption implications. Similar to SB1386, HITECH requires breach notification for unencrypted data of electronic health information. Noncompliance can lead to civil penalties that can extend to $250,000 per violation and up to $1.5 million for repeated offenses. The Payment Card Industry Data Security Standard (PCI-DSS) also has specific encryption requirements for securing credit card data during transport, in storage, and in backup tapes. Noncompliance leads to fines and potential business impact. The Ponemon Institute’s 2011 data breach report 1 estimated the organizational cost of a data breach at $5.4 million, with a per record cost of $194. This per record cost varies from industry to industry (Figure 6.1).