"Most people use a Windows name and password. That becomes the key to encrypt the data. If someone actually stole your laptop to steal your data, that key would not stop them for very long," Preston says. A harder-to-crack, global key-management system for Windows exists as part of Microsoft's Active Directory infrastructure, "but not everyone uses it," he adds.

Laptop manufacturers like Lenovo Group Ltd. are incorporating encryption capabilities into their systems, and Microsoft Corp. will add encryption capabilities to the upcoming Vista version of its Windows operating system.

Don't encrypt everything

When it comes to assessing what constitutes "sensitive" data, most companies will find that there are only 8 to 12 bits of information per record, on average, that need encryption, says Gartner's Ouellet. Depending on the type of business, this can include Social Security numbers, credit card information, financial records, health information, intellectual property documents or information about sexual orientation.

"Once you've identified what those bits are, you can choose what solution gives you the biggest carpet covering over the area," says Ouellet. He offers the example of a large retailer that performs online and telephone transactions and holds a lot of credit card information. Within the database, the most sensitive data should be protected.