In Europe, they’re about to change the rules. The new Data Protection Directive and Data Protection Regulations (EDPD/EDPR) propose fines of up to 100M Euro or 5% of global turn for EU personal data handling violations, regardless of where the processor or controller resides. (Yes, this will impact US companies who fail to protect the personally identifiable information PII of EU citizens.)
The violations of International Traffic in Arms Regulations (ITAR) can easily represent millions of dollars in fines –and possible jail time– for each instance where controlled information is mishandled. (“Controlled” might mean a data sheet for the F35 joint strike fighter or a nuclear plant design. There are dozens of categories of controlled items, maintained by the State and Commerce departments). It’s common for dozens, if not hundreds of instances to occur per violation.
HIPAA HITECH fines can be substantial for anyone who mishandles Personal Health Information (PHI). And there are many, many more government regulations. In fact, the biggest government impact on corporations today isn’t that they’re spying on everything (they are) but that businesses have so many rules surrounding the data they have to store, the security measures they have to have, the reporting requirements they’re forced to satisfy. The reason for this is governments want organizations to get control over their sensitive data, and they’re going to keep ratcheting up fines until firms pay attention. After Sony, Target and Home Depot breaches, the SEC even had a conference call for the board members of public companies where they implied that they would soon be held personally liable!
There’s also a completely separate value proposition in terms of the advantages gained by preventing valuable intellectual property from being misused by rogue or careless employees, or taken by outsiders.
These have been huge drivers behind much of the cyber spend, the hype and the bloated valuations over the last year. Now, the party seems to be winding down. China is no longer going to engage in state-sponsored espionage of commercial IP, so has the cyber threat been mitigated? Definitely not.
Sensitive data sits everywhere, on drives, devices, clouds and networks. The mandate to both protect and enable the proper use of information by customers, partners and employees in a globally distributed enterprise, in the cloud, on mobile devices the user owns is frankly, overwhelming. Firewalls, sandboxes, encryption and tokenization are critical controls, but they’re nowhere near enough.
Enter Varonis, who reports today, November 5, after the close. At the time of this writing, VRNS is down today about -8% in sympathy with FEYE because like FEYE, they share the same problems in that although their products work, there isn’t a direct compliance or governance requirement that an auditor would want to check a box for, so they lack clear budget, and their sales default to discretionary purchases.
We’ll get more specific on VRNS in the next post, look for it shortly as to decide whether or not the risk/reward probabilities are lining up.
-g
If you enjoy the content at iBankCoin, please follow us on Twitter
Gray, this mini-opus on VRNS was great.
Thanks Ed!