In Advance of New Massachusetts Privacy Law, Liquid Machines Offers Enterprise-Class Security Software to Mom-and-Pop Businesses
The Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has taken pity on recession-dazed business owners in the state, putting off the deadline for meeting new data encryption regulations from January 1, 2009, to May 1, 2009, and then postponing enforcement again until January 1, 2010. Sooner or later, though, all Massachusetts businesses small and large will have to comply with the new rules, which are designed to combat breaches of private data like those that have struck Framingham, MA-based TJX and Scarborough, ME-based Hannaford Bros.
As I observed back in December, one business’s headache is another’s bounty. Massachusetts has a thriving cluster of companies in the computer security, risk management, and compliance business, and some of them are greeting the new regulations as an opportunity to sell data protection technologies and services down-market to companies much smaller than those they’re used to dealing with.
Liquid Machines, a Harvard University spinoff in Waltham, MA, is one of those companies. It sells data-loss-prevention software that gets inside office software such as word-processing programs and e-mail clients, automatically encrypts all of a business’s digital documents, and controls who gets to view them. The software is targeted at Fortune500-scale companies with thousands of employees, and Liquid Machines normally wouldn’t bother trying to market it to small- and medium-sized businesses. But through a recently announced partnership with Mansfield, MA-based HR Knowledge, a payroll processing company, Liquid Machines now offers a cloud-based subscription version of its rights management software.
I got the lowdown on so-called “Information Protection for Compliance Solution” last week from HR Knowledge president and CEO Jeff Garr and Liquid Machines vice president of corporate development Ed Gaudet. Until recently, Gaudet says, most state regulations around data privacy have been non-prescriptive—they merely required companies to notify customers in the event of a data breach. “But now you’ve got Massachusetts and Nevada and other states saying, ‘Thou shalt encrypt,’ and that opens up opportunities for companies that offer some type of encryption, which Liquid Machines does and has since the beginning,” Gaudet says.
Specifically, the new Massachusetts regulations—known by the melodious name 201 CMR 17.00—require that all businesses operating in the state encrypt all personal information stored on computer hard drives or transmitted electronically. The rules, which apply to both employee data and customer data, define “personal information” as a person’s last name and first name or first initial in combination with confidential data such as a social security number, a driver’s license number, a bank account number, or a credit or debit card number.
While most of the large organizations that are Liquid Machines’ typical clients already encrypt their data and will be able to meet the new requirements without a struggle, that’s not the case for the thousands of smaller companies in the state—hence the opportunity. Yet Liquid Machines isn’t set up to cater to small companies; its rights-management approach to document software requires some training and handholding up front, a process that gets even more demanding if a company isn’t large enough to have its own IT department. “We made some early forays into this and we learned that it really requires knowledge of small businesses and an understanding of what they know and don’t know,” says Gaudet.
Which is where HR Knowledge comes in. “When we first found out [about 201 CMR 17.00] it concerned me greatly, because I hadn’t heard about it and I feared my clients hadn’t either,” says Jeff Garr. “And it’s just as I thought If I go out and talk to 10 small businesses, three or four won’t know anything about the law, and five or six will have heard of it but won’t know much about it, and none of them will have any clue about what they need to go to get compliant.”
But as it happens, Liquid Machines outsources much of its HR and payroll operation to HR Knowledge. “When we learned that one of our clients is in this space, one thing led to another, and we realized there might be an opportunity to partner up and provide a service to assist companies with compliance,” says Gaudet.
The Information Protection for Compliance Solution, rolled out on March 16, is a slimmed-down version of Liquid Machines’ rights-management software that runs on HR Knowledge’s servers rather than the end users’ own machines, as at Liquid Machines’ larger clients. The system adds control functions called “droplets” to programs such as Microsoft Office and Adobe Acrobat; these droplets allow administrators to set up policies determining who can read, edit, or print business files. HR Knowledge consultants help users learn the system, set up the appropriate policies, and produce the documentation required for compliance.
The service is priced at $125 per user per month, plus a one-time setup fee. A typical small company, Garr says, would have only one or two users, such as the bookkeeper or office manager. For a company on the scale of Xconomy—with about 10 employees—the yearly charges would come to around $3,000, he says. (Perhaps not coincidentally, that’s exactly in line with OCABR’s estimates for the average cost of complying with the new privacy laws.)
Ironically, Garr says HR Knowledge never really wanted to get into the software business. “We are an HR company, not an IT company,” he says. “Our job is to make sure that our clients are compliant, and up to now, compliance has meant things like having a sexual harassment policy and hiring and terminating employees properly. But with this new law, HR also means protecting electronic and hard-copy information about employees, and that’s really a key motivating factor for us. This is something we have to do to protect our clients.”
Companies have another nine months to comply with 201 CMR 17.00, and getting a new company up and running on Liquid Machines’ software only takes 8 to 12 hours of on-site training, Garr says. But he wouldn’t recommend putting compliance off, the way the state keeps doing by moving back the deadline. “Knowing what we know about what can happen if this personal information gets out,” says Garr, “I think it’s in everyone’s best interest to handle it now.”
Update, March 31, 2009: Utimaco, the Foxborough, MA- and Oberursel, Germany-based security company featured in my December story on the Massachusetts reguilations, today unveiled a nifty Compliance and Regulation Portal on the Web. It’s full of resources on how businesses can comply with shifting legal regulations concerning the privacy of personal data.