Already 44 states have enacted laws stating that if businesses lose customer or employee data they are responsible for it.
So far the most aggressive state in this regard, California, levies fines of $250,000 for every third party that gets an unauthorized look at a customer’s medical records. That is, if 10 people see such a record, the fine is $2.5 million.
All this would seem to be a powerful incentive for any kind of business to invest in encryption software, which is deemed the most effective method of protecting such data. Yet according to Richard Gorman, president and CEO of the Santa Clara, Calif.-based Vormetric, one of the biggest players in the encryption market, the compliance rate is still fairly low. “It’s a small percentage, less than 10 percent,” Gorman says.
Awareness may be lacking
Why? Though encryption solutions can range in price from $30,000 to more than $100,000, Gorman says the main reason for the low adoption rate is lack of awareness. “Most companies just don’t realize how easy it is to do it,” he says.
According to Eric Ouelette, vice president of research and security for Gartner, of Stamford, Conn., there are two main types of encryption solutions for businesses -- e-mail and database encryption.
Ouelette says of the two, e-mail may be the most important. “E-mail [encryption] is definitely something a lot of small and medium businesses need to have,” he says. Such encryption isn’t a standard option or feature for common applications like Microsoft’s Outlook or Entourage. The most cost-effective e-mail encryption solutions are services from companies like IronPort and ZixCorp range from $10 to $20 per user per year. Moreover, Ouelette says only a small number of employees -- those that are sending sensitive information to customers -- need it.
Despite the relatively low prices, Ouelette echoes Gorman’s claim that most small businesses aren’t using e-mail encryption or database encryption. “No one’s ever really shed light on it until now,” Ouelette says. “But now you have regulatory compliance issues. There are some very specific rules.”
Complying with regulations
Regulatory compliance was the major reason Automated Collection Control (ACC), a 20-person Montville, N.J., data delivery and data management firm that deals with the collections industry, opted for a Vormetric hardware/software solution in “the five figures,” according to Barry Kornspan, vice president of technology. The firm had always had an encryption solution in place for data “in transit” (i.e. sent over the Internet using SSL protocols), but just addressed its “at rest” data on databases and in flat files late last year because of new laws
“The nature of the data we receive from folks is information on bad accounts -- names, addresses, credit card numbers -- and we need to encrypt that data,” Kornspan says.
He found Vormetric’s answer to the problem satisfactory since it performs seamlessly. “There were no programming changes which was good since we weren’t looking for an intrusive solution,” Kornspan says.
Though ACC is a good illustration of a company drawn to encryption for legal reasons, Gorman is quick to point out that there are lots of other catalysts to adoption, especially in a down economy. After all, a disgruntled former employee can wreak a lot of damage. “A salesperson can walk off with key customer data,” Gorman says. Of course, with an encryption solution in place, those contacts will read as lines and lines of gibberish.