The Senate approved the Personal Data Privacy and Security Act this week, which requires businesses holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies. The bill would create big opportunity for VARs able to help corporations assess their own infrastructures and implement compliant solutions.
Chances are a bill in some form will pass in 2006 to become law. "There is a real win/win/win that's possible," says Kevin Brown, vice president at Decru, a Network Appliance company that offers storage security technology. "But for that to happen, there needs to be a streamlining of compliance requirements for the enterprise. Right now they're suffering under a lack of clarity and a proliferation of rules. It's time for the federal government to step up and provide the clarification, while not losing the level of protection set for the consumer by existing state laws."
Once a law does goes into effect, companies will scramble to comply--not unlike when HIPAA dictated processes in health care. When that happens, the channel community will likely take an active role, says Wayne Webster, senior director of channels for federal government at Network Appliance. System integrators will lead with consulting and assessment, and the VARs will follow soon after with solutions that ease compliance.
"The whole situation just makes the target clearer," Webster says. "They know, without having to ask, the top initiatives that customers are dealing with." The biggest challenge for VARs will be figuring how to develop the right solution with the right partners. "Line card solutions, or offering everything under the sun, will be replaced by single solutions that solve the one or two compliance issues facing a customer. VARs can't be catalog-based providers when they approach this opportunity," Webster adds.
In the past year, companies in the U.S. have reported security incidents that exposed the personal information of more than 50 million consumers--with exposures by ChoicePoint and LexisNexis garnering the most attention. Such incidents led to the bill, which in addition to risk assessment requires data brokers to provide an opportunity for people to correct any false personal data on record. When data breaches do occur and significant risk of identity theft or data fraud exists, companies have to notify consumers. In cases where risk from a data breach is not as high, companies still have to report the incidents to the Secret Service for investigation.