Will Data and Encryption Regulations Impact SaaS Partners?
As the State of Massachusetts and other states revise their privacy and encryption laws, I'm receiving a lot of questions from service providers about the impact of laws and regulations on their customers’ data. Many of these questions focus on encryption rules and third-party vendors. Here's my view on the situation.
As a vendor, Intronis uses tight encryption standards to secure our partners’ client data. Our partners can access the data with an encryption key that only they have. Intronis doesn’t even have access to that key; neither can we decrypt the data in our data centers.
The security measures that Intronis already employs are soon to become law in Massachusetts (here's a PDF with some background). This new law, which takes effect April 1, 2010, requires any business that collects personal information of state residents to encrypt all portable devices, wireless transmissions, and public networks. The law also compels businesses to develop an information security program with up-to-date firewall protection. Additionally business must take steps to select and retain third-party vendors that have the capacity to maintain appropriate security measures for personal information.
This legislative focus on data security is falling in the wake of the TJX data security breach of 2005. The theft of 45.6 million credit and debit card numbers from the Massachusetts-based company was certainly enough for government officials to stand up and take notice. Many law makers in other states are looking to adopt similar laws to protect the privacy and data of its residents.
These types of requirements are often first adopted by states with tech-heavy industries before they spread to other states or even become federal law. In fact, Nevada is another state pushing forward with a new security regulation. Similar to Massachusetts, Nevada also mandates the use of encryption to secure personal information.
However, I didn’t realize the full impact of the data security challenge this law change poses to service providers until I was tapped by one of our partners, Lighthouse Networks, to speak about the soon-to-be adopted Massachusetts security law at an upcoming conference.
I’m not an attorney, so you’ll have to ask your lawyer for legal advice, but I think that these laws that require specific technology to protect privacy present a great opportunity for service providers—even for those that don’t do business in Massachusetts or Nevada.
The more you can position your business as being a leader in what you do best, you will be in a position of charging a premium for your services. I talk to partners all day long who are constantly haggling over price because they haven’t positioned their services as unique.
Lighthouse Networks of Eastern Massachusetts is a prime example of a service provider who effectively utilizes current news and trends to effectively position itself in the marketplace. Lighthouse is sponsoring an informational seminar on data security and what SMBs should know about the new law.
They will host 100 small businesses and have secured two vendors—Intronis being one—who will explain how the law applies to their particular channels. Not only will Lighthouse have 100 leads to follow-up on after the event (they are going to be very busy), they are branding themselves as something more than a sticker price. They are offering valuable information to its relevant community.