Print
Email
Print Edition Stories
MHT's Galen Moore: Tech sector lags in promoting women execs
MHT's Jackie Noblett: Lessons from the 2007 IPOs
MHT's Jackie Noblett: VC funds run short in 2009
The dust has settled since Massachusetts’ data privacy law took effect March 1, and data security firms large and small are surveying a changed landscape.
The standard for data security is rising, they report, even among companies not necessarily affected by Massachusetts regulations. But many companies, particularly in the small and midsize strata, are looking anywhere they can to cut the costs of compliance — which are proving much higher than anticipated.
Sophos Plc, a $260 million data security software company with dual headquarters in Burlington and the U.K., has seen a change in enterprise customers’ perceptions of what it means to protect sensitive data, said chief marketing officer Rainer Gawlick. “They see the writing on the wall. Massachusetts isn’t the only state where this is happening. It’s become almost received wisdom and part of good clean corporate governance and operations.”
Sophos last week sold a majority shareholder interest at an $830 million valuation to private equity investors, who plan to add new hires and target acquisitions as threat complexity increases and the industry becomes “consumerized” — with employees choosing their own devices for work computing.
However, at the same time enterprise customers have their eye on such emerging data security needs, Sophos’ small to midsize business customers are finding it hard to afford the basic encryption demanded by Massachusetts’ new law, said Sophos vice president of corporate strategy Arabella Hallawell.
State officials estimated the required steps, which include encryption of data, a written security plan, password protection, protection from viruses and e-mail, and due diligence on third-party vendors, would cost a business with 10 employees about $3,000 up front, and another $500 a month. Firms that do not comply, no matter where they are based, could be held liable if Massachusetts residents’ personal data is compromised.
That cost estimate has proven inaccurate, said Michelle Drolet, CEO of Towerwall Inc., a small group of security consultants in Framingham. “The dollar amount that the state said it was going to cost for even a small company to become compliant is crud,” she said. “It’s not true. Some of this stuff has to be budgeted.”
As a result, many small and midsize businesses are considering what steps toward compliance they can handle internally, without paying a consultant, said Eze Castle Integration Inc. business continuity consultant Lisa Smith.
Eze Castle, a 240-person company based in Boston, mostly works with the hedge fund industry providing data-security services. Many fund managers already have data-protection steps in place, Smith said, but they could benefit from a comprehensive look at what data they have, how it is managed and where it resides. That can be done most thoroughly with a new generation of data loss prevention (DLP) software. However, many customers are stopping short of that step. “They’re not doing in-depth analysis,” Smith said. “It’s being done manually.”
Written information-security programs required by the Massachusetts regulation are providing companies of all sizes with an opportunity to clean house, said John McDonald, security evangelist at EMC Corp.’s RSA division. For example, many financial customers have long used data security measures like encryption of sensitive data, but many have not undertaken to determine where they may be holding or handling sensitive data unnecessarily, he said.
“How can I basically reduce my (data) footprint?” is the question, he said. “If I have old credit card numbers out there, instead of protecting them, how can I get rid of them?”
That can be daunting when employees may have stored sensitive data any number of places. Home PCs can be scanned with employee permission, he said, but many employees may have used services like Gmail or Google Docs to handle work documents. “To be honest, I don’t think anybody’s come up with a really good answer to how you do that with stuff like Gmail accounts,” McDonald said.
Still, the new regulations have prodded financial managers to lend an ear to their IT departments, McDonald said. The knowledge that companies could be subject to legal action has pushed IT security higher on business’ list of spending priorities, he said.
Many firms perceive data-security steps as necessary not only to comply with the law, but also to protect a company’s reputation — and to do business responsibly, said Eze Castle’s Smith. Many expect other states to adopt regulations very similar to Massachusetts’ new law, and they are hoping to meet the standard before customers elsewhere begin asking about data security.
“I have clients who have said they think this is going to happen all over,” Smith said.
Comments
If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.
RSS Feeds
