Protecting your customers data against accidental leakage is perhaps one of the most important concerns facing CIOs today.  Almost every week there is a news story concerning some organization who inadvertently lost a laptop containing Social Security numbers, backup tapes containing credit card data, or some other type of personally identifiable information.  When these data leakages occur it not only results in loss of credibility for your corporation but also places you in serious legal jeopardy.

I am familiar with this issue firsthand.  About a year ago a customer requested copies of backup tapes for their ERP system.  We duplicated the tapes and sent them via UPS.  The tracking numbers show that the tapes made it to the local warehouse however after that point completely disappeared.  In our case as the data was already an encrypted format so we had little concern over the missing tapes.  Had encryption not been involved this could have been a disaster as it contained all of the companies financial, sales, and procurement data.

When looking at various encryption products available one stands out because of an important feature it offers: it's free!  In an era of ever shrinking IT budgets the words "open source" and "free" are like music to the CIO's ear.  Another really important advantage of going with an open source solution for encryption is that you can be relatively sure the product in question lacks backdoors as its source code is being reviewed by literally hundreds of developers.

TrueCrypt, http://www.truecrypt.org, works using a very similar concept found in server virtualization.  It creates a file on your local machine that will later act as a virtual hard drive.  This file can be formatted with either a FAT32 or NTFS file system.  This file will be encrypted based on the algorithm you select and then can only be accessed via password.  Once you have created this file you use the TrueCrypt program to mount it as a drive letter you simply access it as though it were any other disk resource attach to your machine.  Once you've copied the data to be encrypted drive you can then dismount it making it unavailable to anyone else to view without the password.

This particular technique is very useful if you are planning to send data to a third party via e-mail or FTP.  All the third party requires in order to unencrypted data is a copy of the TrueCrypt software and the password.

Another option for using the software is creating a larger volume on your workstation or desktop and using it to store sensitive data such as your Outlook PST files, spreadsheets, and MP3s!  One of the advantages to this arrangement versus the whole hard drive encryption scenarios is that you are only focusing on encrypting data that you're worried about and not expending CPU and IO resources on making sure no one steals a copy of your Microsoft Office DLLs.  The downside, of course, is that it relies on you to ensure that everything that needs to be protected is going to that encrypted volume.  (It's been my experience that any system relying on discipline of end users is doomed to failure.)  

For the price conscious CIO I would highly recommend this product.  It doesn't offer all the features of commercial products such as PGP however it does go a long way towards mitigating potential legal issues you could face with a data breach.