Business starts with trust, which is why, when PETCO.com opened for business in 2001 to sell pet supplies to consumers, it made some reassuring promises. "At PETCO.com, protecting your information is our number one priority, and your personal information is strictly shielded from unauthorized access," the Web site said. It also said, "Entering your credit card number via our secure server is completely safe. The server encrypts all of your information; no one except you can access it."

If only that had been true.

Apparently the company hadn't taken necessary security to protect against well-known technical vulnerabilities. In 2003 a 19-year-old programmer used a technique called an SQL injection attack and was able to read customer credit card numbers. The revelation turned into a Federal Trade Commission charge of deceptive advertising. By 2004, Petco entered a settlement with the FTC that entailed overhauling its security, biennial security audits and continued agency oversight -- for 20 years.

Since then, international regulation of data security has become ever more complex, with penalties for noncompliance varying from civil fines to jail time. In fact, virtually all major regulations either directly or indirectly require companies to maintain security and control of data. With these ever-changing rules, it may seem impossible to keep up, but that's not true -- it just takes a lot of work. But while experts point to general best practices, there is no easy checkoff list, as implementation details completely rest on a company's specific circumstances.