The massive Equifax data breach that occurred earlier this fall has shined a renewed spotlight on the issue of identity theft. Personal information on more than 143 million Americans stored by Equifax was compromised in the hack, making this the largest data security breach in modern history.
There are lessons to be learned from this breach for every business, including independent financial advisors. In fact, given the volume of sensitive client information (like Social Security and account numbers) that most financial advisors possess, you should be especially vigilant when it comes to protecting this information, as well as helping clients safeguard their own personal information.
Laws Governing Data Security
Several laws are in place that govern privacy and protection of client information. For example, the Gramm-Leach-Bliley Act requires independent financial advisors to implement procedures designed to protect clients’ non-public personal information. And the Federal Trade Commission Act (FTCA) allows the FTC to classify an advisor’s failure to protect sensitive client information as an unfair trade practice.
At the state level, most states have specific requirements regarding consumer notification in the event of a data security breach. Many states also require advisors to adopt reasonable data security measures, such as having in place a comprehensive, written data security program.
Best Practices for Advisors
Following are some best practices for protecting sensitive client information:
1. Implement a written information security program, or WISP. This is required by law in Massachusetts, where any business (including independent financial advisors) that owns or licenses personal information about a state resident must implement and maintain a comprehensive data security program. Such a program must contain administrative, technical and physical safeguards designed to protect clients’ personal information.
Other states may follow Massachusetts’ lead here, so it might be wise to develop your WISP now. And if you are not physically located in Massachusetts but have clients who live there, your firm is subject to the state’s WISP requirement.
3. Store client records securely. Any servers storing client information should use 256-bit encryption to ensure the highest level of data protection. Also encrypt office mobile devices (such as smart phones and tablets) and laptops that may contain client information in case these are ever lost or stolen.
4. Dispose of client records properly. Any documents (whether paper or electronic) containing sensitive client information should be rendered unreadable before they are disposed of. For example, paper documents should be thoroughly shredded and electronic documents should be permanently erased from servers and hard drives.
5. Monitor your service providers’ data protection safeguards. You should carefully vet any vendors who will be provided with access to your clients’ sensitive personal information. Require such vendors to maintain adequate data security measures for the life of your contract or engagement with them, and insist on the right to audit their data protection safeguards periodically.
6. Establish strong internal controls. These include such policies as limiting internal access to sensitive client information on a “need-to-know” basis, using two-step authorization before disclosing client information to third parties (like bankers and CPAs), refraining from discussing account information with anyone (including family members) who is not named to the account, and requiring employees to change their passwords and login credentials regularly (such as quarterly).
Offering Guidance to Clients
Given all the publicity recent data breaches have generated, your clients may be asking you for advice regarding what they should do to protect their personal information. Here are some general tips you can share with clients:
• Monitor all bank accounts carefully in search of suspicious financial activity.
• Order a free copy of their credit report by visiting AnnualCreditReport.com. Once obtained, they should examine the report carefully in search of any unauthorized credit activity.
• Use complex passwords and two-step identity verification on all of their financial accounts.
• Plan to file their taxes early in 2018 to reduce the chance of being victimized by tax-related identity fraud.
It’s All About Trust
It’s essential that your clients know they can trust you to safeguard their personal information. This makes it critical to take steps like those listed here to protect sensitive client data, as well as offer suggestions to help clients safeguard their personal information themselves.