ARCH-files-dont-lose-clients-data

Advisors rarely discuss data security with clients, but a breach can be crippling. So protect yourself, your firm and your clients.

In the case of Calgary-based Mitch Reynolds, it was word that an employee had his laptop stolen from a car, along with a client application in the laptop bag.

“Thankfully, there was no SIN or other sensitive information compromised, but we [still] had to go through a full security audit,” he says.

Reynolds followed his firm’s response plan by contacting the manager of the administration team at head office. “I had to give several interviews, as did the advisor whose laptop was stolen, as well as incident reports.”

Luckily, the laptop was fully encrypted, so the thief couldn’t access the data. Unfortunately, the paper application form contained the client’s banking information.

The firm notified the client, advised him to switch bank accounts, and paid for one year of credit monitoring. After several weeks, the firm found no evidence that anyone tried to use the stolen data.

It could have been much worse. A data breach can devastate your practice, but clients rarely raise the issue with advisors.

“Clients don’t typically ask the data security question,” says Olivia Woo, senior portfolio manager with the private client team at Mawer Investment Management in Calgary. That’s because they assume you have it covered. Yet a data leak will shatter that faith. According to the latest Unisys Security Index, up to 85% of customers would go elsewhere if a financial firm lost their personal information, and half would take legal action.

KNOW THE CONSEQUENCES

If data is compromised, a disaster-response plan can mitigate the damage. A good plan outlines steps to restore the data, prevent misuse of lost data and identify how the breach happened.

Even if a security breach is the fault of a third party, clients will come to you for answers. The Ponemon Institute finds nearly 30% of reported breaches originate with external partners. So before you outsource, ask providers how data is encrypted and backed up, who has access to your client data and what access controls are in place.

Include in your service agreement the right to audit their data security measures. You may also want to ask an IT expert to draft a thirdparty service agreement that you can use as a template for outsourcing work.

INSURANCE IMPLICATIONS

Errors-and-omissions insurance premiums are unlikely to be affected by a data breach unless you experience multiple breaches or if you’re deemed by your insurance provider not to be taking necessary precautions. Depending on the size of your coverage, breach insurance providers will want to know whether you have adequate data backup and disposal policies, encryption standards and a response plan.

The Canadian market for policies covering data breaches remains immature, and the costs and deductibles may be prohibitive for smaller firms (see sidebar, “Data insurance costs,” this page). Some policies, though, cover the cost of notifying affected clients and credit monitoring, which can run between $100 and $300 per impacted client.

In May 2010, Alberta became the first province to enact mandatory breach notification legislation. But regardless of the law, clients expect to hear from you if their data is compromised. You’ll also want to consult legal counsel quickly after an incident, no matter how minor.

LESSONS LEARNED

When Reynolds established his own firm, Life Guard Insurance, the stolen laptop incident was top-of-mind.

Reynolds has a laptop for client files and, like before, encrypts the partition of the hard drive where they are kept. When travelling, he keeps the laptop and all hard-copy client files on his person at all times.

He also signed up with Salesforce.com to use as a cloud backup service, and chose it because of its size, popularity and track record.

You can’t always protect against a data breach, but “if you have encrypted the data on a lost or stolen computer, you go to your backup, buy a new machine and are back in business the next day,” says Alan Brill, senior managing director of the cyber security and information assurance group at Kroll. “Privacy laws generally recognize that when lost or stolen data has been encrypted, the incident may not even be reportable.”

To back up paper records, Reynolds’ MGA scans all client applications and records onto a secure server so they can’t be physically stolen or damaged.

SAFE REMOVAL

Employee behaviour also factors into the security equation. “The majority of breaches are low-tech, like dumpster-diving, lost devices or information transmitted to the wrong fax number, e-mail address or courier address,” says Andrew Brown, vice-president of executive risk at Willis Canada.

Instead of doing it yourself, use a secure shredding company; monitor how it collects shredded documents, and escort them to the truck during disposal.

“Some companies avoid providing recycling bins,” says Nick Galletto, national leader, Information & Technology Risk Solutions at Deloitte Canada. “They would rather err on the side of caution than accidentally have something leak out.” The policy at Mawer’s Calgary head office, says Woo, is to shred all client related papers.

It’s easy for hard drives and filing cabinets to become bloated with sensitive information you no longer need, so “get rid of information that has zero asset value, but tremendous liability,” Brill says.

Seven years is a safe amount of time to keep financial data, though some data, such as old e-mail threads, can be disposed of more quickly. You should keep archives of important e-mails for at least two years, while unimportant ones (think pleasantries, gossip and non-work-related content) can be disposed of immediately. Of course, consult a lawyer before putting any such policies in place.

To fully erase digital data, use software to overwrite, not just delete, either a folder or an entire hard drive to ensure files are completely irretrievable. While you’re at it, break it in half or drill a hole through it as an additional safety measure.

Originally published in Advisor's Edge