When Starbucks earlier this month revealed it couldn’t find four laptops containing data on thousands of employees, IT administrators everywhere once again were forced to ask themselves: What’s our policy on protecting data on mobile devices?

The seemingly never-ending string of high-profile data loss cases — from Los Alamos National Laboratory to Allina Health to U.S. Veterans Affairs — is pushing more organizations to encrypt data on such devices as laptops and USB flash drives, and establish associated security policies.

“We do have policies specific to laptops that fall under our Mobile Device Policy,” says Tom Gonzales, senior network administrator for the Colorado State Employees Credit Union in Denver. The organization has codified a policy for securing laptops, disk drives, USB flash drives and CD-ROMs.

Gonzales describes the policy this way: “USB ports are disabled using the Cisco Security Agent, so only certain people such as IT can write to flash drives. We usually don’t encrypt the entire drive on users’ laptops, but do provide secure storage areas so that end users can just save the files to that location and they will always be encrypted. Our desktop PCs don’t have floppy drives or CD-ROM writers.”

The reason that companies are going to these extremes is clear: Data loss is costing them lots of money. The Ponemon Institute suggests each incident costs about $4.7 million — $182 per record. Using these numbers, the incident at Starbucks put as much as $10.9 million of data at risk (Starbucks said in a press release it is not sure what became of its laptops but has seen no evidence that data has been misused.)