The Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has taken pity on recession-dazed business owners in the state, putting off the deadline for meeting new data encryption regulations from January 1, 2009, to May 1, 2009, and then postponing enforcement again until January 1, 2010. Sooner or later, though, all Massachusetts businesses small and large will have to comply with the new rules, which are designed to combat breaches of private data like those that have struck Framingham, MA-based TJX and Scarborough, ME-based Hannaford Bros.
As I observed back in December, one business’s headache is another’s bounty. Massachusetts has a thriving cluster of companies in the computer security, risk management, and compliance business, and some of them are greeting the new regulations as an opportunity to sell data protection technologies and services down-market to companies much smaller than those they’re used to dealing with.
Liquid Machines, a Harvard University spinoff in Waltham, MA, is one of those companies. It sells data-loss-prevention software that gets inside office software such as word-processing programs and e-mail clients, automatically encrypts all of a business’s digital documents, and controls who gets to view them. The software is targeted at Fortune500-scale companies with thousands of employees, and Liquid Machines normally wouldn’t bother trying to market it to small- and medium-sized businesses. But through a recently announced partnership with Mansfield, MA-based HR Knowledge, a payroll processing company, Liquid Machines now offers a cloud-based subscription version of its rights management software.
I got the lowdown on so-called “Information Protection for Compliance Solution” last week from HR Knowledge president and CEO Jeff Garr and Liquid Machines vice president of corporate development Ed Gaudet. Until recently, Gaudet says, most state regulations around data privacy have been non-prescriptive—they merely required companies to notify customers in the event of a data breach. “But now you’ve got Massachusetts and Nevada and other states saying, ‘Thou shalt encrypt,’ and that opens up opportunities for companies that offer some type of encryption, which Liquid Machines does and has since the beginning,” Gaudet says.
Specifically, the new Massachusetts regulations—known by the melodious name 201 CMR 17.00—require that all businesses operating in the state encrypt all personal information stored on computer hard drives or transmitted electronically. The rules, which apply to both employee data and customer data, define “personal information” as a person’s last name and first name or first initial in combination with confidential data such as a social security number, a driver’s license number, a bank account number, or a credit or debit card number.
While most of the large organizations that are Liquid Machines’ typical clients already encrypt their data and will be able to meet the new requirements without a struggle, that’s not the case for the thousands of smaller companies in the state—hence the opportunity. Yet Liquid Machines isn’t set up to cater to small companies; its rights-management approach to document software requires some training and handholding up front, a process that gets even more demanding if a company isn’t large enough to have its own IT department. “We made some early forays into this and we learned that it really requires knowledge of small businesses and an understanding of what they know and don’t know,” says Gaudet.
Which is where HR Knowledge comes in. “When we first found out [about 201 CMR 17.00] it concerned me greatly, because I hadn’t heard about it and I feared my clients hadn’t either,” says Jeff Garr. “And it’s just as I thought If I go out and talk to 10 small businesses, three or four won’t know anything about the law, and five or six will have heard of it but won’t know much about it, and none of them will have any clue about what they need to go to get compliant.”
But as it happens, Liquid Machines outsources much of its HR and payroll operation to HR Knowledge. “When we learned that one of our clients is in this space, one thing led to another, and we realized there might be an opportunity to partner up and provide a service to assist companies with compliance,” says Gaudet.
The Information Protection for Compliance Solution, rolled out on March 16, is a slimmed-down version of Liquid Machines’ rights-management software that
