The first reports of fraud using data stolen from retail giant TJX in December started to trickle in last week, and many observers fear a torrent will develop.

Although the $16 billion company - which operates 2,300 stores, including the T.J. Maxx and Marshalls chains - won't say how many customer records were accessed, it says the hacked systems handled credit card, debit card and check information for transactions in 2003 and from mid-May 2006 through December 2006.

Unfortunately, these types of targeted attacks are becoming the norm. Skilled hackers are increasingly in it for financial gain, no longer entertained by the notoriety associated with the release of a virulent new virus or worm.

But you have to wonder why, in this day and age, this type of breach is still possible. It isn't like companies are unaware of the risk.

Data loss has been front page news for years. According to the Privacy Rights Clearinghouse, more than 100 million customer records have been lost or stolen since February 2005. And the business risk is well understood. Conventional wisdom says it costs a company $150 for every customer record lost, and in some industries that is probably more like $1,000 per record. So if millions of records are lost, as some expect is the case with TJX, the math is pretty simple.

So why aren't all customer records encrypted everywhere? There is, apparently, a gap between IT's understanding of the problem and the boardroom's understanding or willingness to address the problem. Either we aren't yelling loudly, frequently or clearly enough about the risk, or boards are simply hoping beyond hope it won't happen on their watch.

Surely TJX would have paid whatever it would have cost to encrypt those records, because the costs associated with the fallout will be so much greater. Consider that the data breach at another retailer, DSW, is said to have cost the company some $10 million.

It isn't like the tools to safeguard against data loss are rocket science. There are plenty out there. And the good news is they are getting easier to acquire and manage.

Utimaco, for example, sells a suite of encryption products designed to protect data in motion, at rest and in use, says CEO Martin Wülfert. The company's tools cover everything from e-mail encryption to safeguarding data on handheld and mobile devices and even removable media.