Some of the state breach notification laws, like California's SB 1386, say that unencrypted personal information falls within the scope of notification. So, if a breach occurs, or is suspected to have occurred, and everything is encrypted, you may not have to report the incident to the information owners. But, if it's unencrypted, that's when you'll have to worry about it. It varies from state to state, so you've definitely got to do some research in this area. Even with SOX, it could be argued that financial controls may include storage encryption.
So, it all depends on the particular scenario, the size of the organization, whether or not you are a credit card merchant for PCI, etc. There needs to be someone in every organization that can look at these laws and say what's what and put you on the right track.
Check out the entire Storage Encryption FAQ guide.
This was first published in October 2007