take care to secure the encryption keys, and this is an area where we are really strong. We have a simple solution that doesn’t require a huge infrastructure to set up, and we have professional services staff who can help set up these systems inside companies.”
Imprivata of Lexington, MA, is another startup whose software could help some companies meet the new standards. Like several other Massachusetts companies, it makes software that limits access to corporate computers and networks—including “strong authentication” systems that force employees to enter a one-time password, complete a fingerprint scan, or possess an RFID-based “proximity card” in order to log on to a corporate network. Strong authentication “ensures that access to records [is] controlled and you can verify and report on the identity of the user accessing the data,” Imprivata co-founder and CTO David Ting wrote in a recent blog post about the Massachusetts data privacy regulations.
“These new regulations put the onus on the business to make sure they’re taking proactive steps to protect sensitive customer information,” Ting notes. “While the new regulations haven’t outlined the potential penalties for violation yet, the threat of a fine shouldn’t be the trigger for an action when it comes to protecting customer information. Nor should businesses wait until they have a breach before getting serious about security—these are common sense steps that all businesses should take to ensure that they’re protecting their critical assets and data.”
Plenty of other Boston-area companies are ready to help with software that protects data stored on company-owned machines or traveling on networks. A quick list of firms mentioned in Xconomy’s pages in the last year and a half would include Aveksa, Bit9, ChosenSecurity, Courion, Core Security, Enterasys, Liquid Machines, Mazu Networks, Memento, NetClarity, NitroSecuity, OpenPages OpenService, Q1 Labs, Rapid7, the RSA division of EMC, Security Innovation, Tizor, Vaultus, and Verdasys.
Through their portfolio companies, Boston-area venture firms have connections to an even longer list of security firms that could end up benefiting from encryption mandates in Massachusetts, Nevada, and the other states considering such rules. Needham, MA-based Prism VentureWorks, for example, is an investor in GuardID of San Mateo, CA, which makes a USB device for PCs that stores encrypted personal data such as credit card numbers and account passwords.
Update, February 16, 2009: OCABR has once again pushed back the implementation date for the new encryption regulations, this time to January 1, 2010. “A sharp change in the business climate, along with the business community’s increased understanding of what is required to protect their customers’ identity, led to the new date,” the office said last week.