Encryption market is taking off

The market for encryption products and solutions is taking off thanks to growing regulatory pressures on business, according to encryption vendor PGP Corporation.

The privately traded company will announce next Monday that it has taken $40m (£21m) worth of cumulative product bookings in the past 12 months, and over $100m worth of product bookings since it was set up in November 2002.

"We're very pleased with how well things are going," said Andrew Krcik, vice president of marketing for PGP Corporation. "This is a strongly regulation-driven business, and the European Union is a leading force in specifying privacy requirements."

"There are issues around protecting customer data, and there are increasing concerns that intellectual property is easy to get out of the business," said Krcik.

Legal experts agree that the European security market is likely to get a boost from companies trying to comply with both current data-protection laws, and upcoming legislation.

Currently, the EU Data Protection Directive and the UK Data Protection Act does not specifically mention encryption, but they do say that companies should take appropriate technical measures against the unlawful accessing, damage to and destruction of data, said Struan Robertson, senior associate at Pinsent Masons Solicitors, which specialises in IT law.

"The use of encryption is likely to increase [due to legal requirements]," Robertson told ZDNet UK. "The cost of security products has also dropped, making it more affordable and realistic for businesses to take that extra level of security."

The Data Protection Act also affects the e-commerce and financial sectors. To follow best practice, firms in these sectors should encrypt credit card details where they are stored, Robertson said. Other upcoming regulations may also help the security industry. The Law Society is currently drawing up data protection guidelines for law firms, according to Robertson.

The upcoming EU Data Retention Directive, which member states must implement by August 2007, will force Internet service providers, fixed line and mobile operators to hold the identity of callers and the sender and recipient of emails for not less than six months, and not more than two years. To be compliant with data-protection laws, that information should be held securely.

European politicians are also considering security breach disclosure laws, similar to American laws in 33 states that require companies to tell everyone affected by any breaches.

"At the moment, if a [European] company is hacked, no-one hears about it," said Robertson.

Privacy and electronics communications regulations already require telcos and ISPs to inform customers when security risks take place, and to take appropriate action in the event of a security breach.

The security breach disclosure proposals being considered by the EC take those regulations further, with a requirement that regulators are notified when a security breach takes place.

"This could give companies a stronger incentive to invest in security," said Robertson.