The Payment Card Industry Data Security Standard (PCI DSS) and HIPAA are driving encryption projects across industries, according to the 2009 Encryption and Key Management Benchmark Survey, conducted by research firm Trust Catalyst on behalf of Thales.

In the survey, which polled 655 IT professionals around the world, 53 percent of the U.S. companies responding said they are planning encryption projects to comply with HIPAA. Fifty-two percent of the European companies surveyed are planning encryption projects to comply with PCI DSS. Continuing a trend from the 2008 report, however, organizations continue to be at risk, with only 43 percent using database encryption and 41 percent using tape encryption.

As organizations plan to tackle compliance with encryption, they are spending more time and effort on key management planning. Thirty-four percent of respondents have now spent one year or more planning for key management issues, up from 26 percent last year. Driven by demands for business continuity and availability, 49 percent of organizations indicated they must be able to recover an encrypted database in one hour or less, up from 37 percent in 2008.

The study also found that 5 percent of organizations have experienced problems with a lost or compromised encryption key over the last two years. Key management errors or breaches resulted in 39 percent of these organizations losing data permanently or disrupting business operations.

"These results show clearly that two of the most important pieces of data -- a person's credit card details and their health records -- and the regulations designed to safeguard this data are the major drivers for companies to encrypt data," said Franck Greverie, vice president and managing director for the information systems security activities of Thales.

"The impact of a data breach is one of the main security headaches for CEOs and IT specialists alike, and regulation is already playing a role in terms of tightening data security," Greverie said. "The very nature of encryption means that data is secure even if many of the other enterprise security mechanisms fail, and regulators and industry will therefore grow to depend on encryption."