Article | July 11, 2011

SMB Compliance Requirements Create Opportunities For Solution Providers

Scott Barlow headshot 110x125

Posted by Scott Barlow, Reflexion Networks

Intensifying concerns about data privacy are driving a broad range of governmental regulations that impose a new spectrum of requirements for businesses. Requirements vary by industry segment, such as healthcare and financial services, and even by location, as state legislation becomes more common. For example, all U.S. states with the exception of Alabama, Kentucky, New Mexico, and South Dakota have privacy and data breach notification laws; healthcare organizations are subject to HIPAA; brokerage firms must comply with FINRA; SOX affects all publicly-traded companies in the U.S.; and all financial institutions, such as banks, insurance companies, securities firms, consumer finance companies, and investment advisors must comply with GLBA — just to mention a few.

While government regulation is often thought of as primarily affecting large enterprises, small and midsize businesses are increasingly affected. For example, the Massachusetts Data Privacy laws (CMR 201) apply to any company that collects personally identifying information for any Massachusetts citizen, regardless of the company's location. Many businesses don't have the resources to track these regulations and may turn to their traditional "trusted IT advisor" for advice on compliance. However, while solution providers are quite skilled in the application of technology to solve business problems, they may not have the necessary domain knowledge when it comes to the specific requirements of pertinent legislation.

This challenge creates an opportunity for solution providers to expand their value-add as their client's "trusted compliance advisor." Evolving into this role will require study and ongoing tracking of new requirements that are formalized into law, but the financial and customer retention rewards for such expertise could make it well worthwhile. Compliance requires a blend of trained people, sound processes and appropriate technology. Once requirements are understood, as they relate to a specific customer, solution providers will have all of the skills necessary to deploy the appropriate tools, which typically include email security, email archiving, and email encryption. Email encryption solutions, for example, can be used to automatically encrypt outbound messages that contain patient data, social security and credit card numbers, and other protected consumer information. While email encryption alone does not address the entire issue of data leakage, it does protect a crucial threat vector.

Email archiving addresses a second dimension of compliance. The Federal Rules of Civil Procedure (the legal rules governing civil suits) require litigants to provide pertinent electronically stored information (ESI) during the discovery phase of a trial. Without an archiving solution, compliance may be extremely difficult and costly. An inability to provide information may create an appearance of guilt, and failure to meet specified deadlines may result in stiff penalties. Firms that may be the subject of civil litigation, such as professional services firms, should have a solution in place as insurance to minimize this risk, respond to discovery requests in a timely manner, and allow legal counsel ample time to prepare a defense.

To address the compliance needs of their customers, solution providers should look for integrated tools that can be easily deployed and centrally managed, in order to reduce their costs. Hosted solutions typically provide rapid deployment and avoid the up-front outlays for on-premises solutions.

End-user education and effective internal policies and procedures are also essential elements of any effective compliance program. For example, if employees do not know what the requirements are, they may not be aware of the risks to which they are exposing their employers. Similarly, a lost laptop trumps the effectiveness of any email encryption system. Once solution providers understand the requirements of pertinent legislation, they will be in an excellent position to provide the necessary training and process counseling in conjunction with pertinent technology.

Of course, the flip side of opportunity is risk. The risk here is that in today's business environment, without grounding in specific compliance requirements, solution providers run the risk of losing their claim to "trusted IT advisor" status. With this expertise, on the other hand, they can accelerate transitioning from selling products and services, to more effectively leveraging deployed services to help customers comply with state and federal legislation, and increase their revenue as a result of increasing operational efficiency.