The TD Bank data breach that came to light this week could cost the bank millions in lost business. Bob Siegel, founder of a local privacy protection startup, is trying to help clients avoid the same fate.
Nearly all companies in Massachusetts – and they don’t have to be a bank – are subject to the state’s data privacy law, which aims to protect customers personal and financial information from being inadvertently released.
Defining A Data Breach
Privacy regulations are complicated – the definition of personal information varies from state to state. Siegel said in Massachusetts, a data breach occurs when a client’s name and government identification or bank account information are released together. In California, all it takes for a breach to occur is a person’s name and zip code.
Businesses are required to abide by laws in all states where they have clients, so it becomes quite a task to ensure compliance. Siegel said big companies like Staples have the money to employ full-time privacy staff.
“Smaller businesses really can’t afford to do that,” he said.
Enter Privacy Ref, which will design privacy programs for clients’ specific needs on a contract basis.
Through Privacy Ref consulting services, companies will be able to establish practices that fully comply with privacy regulations they’re subject to.
Business owners will pay less than they would hiring a lawyer who specializes in privacy law, and certainly less than it would cost to employ a specialist full-time, according to Siegel.
After finishing up a job for the Consumer Financial Protection Bureau in Washington D.C., Siegel is seeking new clients in Massachusetts and beyond. He currently has three employees besides himself, but he hopes to hire new staff in the second quarter of 2013, and may pursue venture capital to grow the company later on.
Risking Retaliation
It’s common for smaller business owners to be unfamiliar with privacy laws their companies are subject to, according to Siegel, and that puts them at risk for retaliation from attorneys general, who can enforce state privacy regulations in the event of a data breach.
Plus, it costs a lot of money. Siegel cited an annual assessment by the Ponemon Institute, an independent research firm that focuses on privacy issues. It showed that in 2012, it costs an average of $194 per client record to remediate a data breach. And in Massachusetts, companies can be fined $5,000 per violation, according to a Massachusetts data security law passed in 2010.
As for the future of privacy regulation, Siegel said he doesn’t expect a uniform approach across all states any time soon. President Barack Obama has proposed the Consumer Privacy Bill of Rights, which deals with this issue, but Siegel said it’s taken a “backseat” to other political topics and passage is not imminent.
