Financial advisers have a fiduciary duty to do what is in our client's best interest, always, which includes maintaining confidentiality at all times. This extends to protecting our client's identity, a function that is increasingly complicated as advisers and clients rely on an expanding range of technology tools.
I encourage my clients to incorporate best practices for protecting sensitive data, too. Information protection is a team effort. Here are some important components of a well rounded approach:
Information protection starts here. The best technology solution isn't worth much if hard copy files are left on your desk overnight or in a file folder left accidentally at a restaurant or cab. The same is true for computers, tablets and phones -- lock them down with a password-protected screen lock when unattended for even a short time.
How many of our clients use the same password for every website -- from Craigslist to their account access? What about you and your staff? There are many good password vault tools on the market, such as 1Password, that will generate strong, lengthy passwords and synchronize across all of your devices. It is very important to make sure the password to open your vault is easy for you to remember, uses upper and lower case letters, numbers and special characters and is at least 14 characters long. Make sure you change this frequently and also change your passwords for all important user IDs, and don't use the same password for multiple websites and tools.
iPads and other portable devices are not less secure than hard copy files (it's very much the opposite). I have been challenged by a number of colleagues about using an iPad when meeting with a client away from my office. The concern is generally about having client data on the device. Sure, if I left my iPad in a public place it could be stolen. I am sure I would notice that I lost it, and could remotely wipe it clean and render it useless, all from my iPhone, MacBook Air or iMac. If a crook tried to access information before I had it self-destruct, they would have to crack a passcode to gain access to the device, then the user ID and passcode to access my business information. I would argue that the stolen manilla folder containing client information is far easier for the thief to access.
Keeping your client and other business information in reputable cloud-hosted tools conveys better security than keeping it on the server in your office, or worse, on your desktop or laptop computer. Some steps when moving to the cloud include making sure you obtain your cloud-hosted tool suppliers' privacy and disaster recovery policies annually, and make sure you read them. Who owns the information, and what happens to it when you part ways? Readers wary of cloud-hosted solutions should consider the measures best-of-breed technology firms employ: 256-bit SSL encryption (currently referred to as "bank-grade"), highly secure, multiple and redundant physical facilities with "high availability" (over 99.9% uptime) and protocols to make sure neither employees nor hackers can access your data. Is it perfect? Probably not, but can you say that your office or laptop offer all of that?
There is a healthy concern about accessing client information away from the office, especially while traveling, because a thief might gain access. That's why using public WiFi isn't a great idea. Mobile networks probably offer a more secure level of access, and using a VPN, or virtual private network, like StrongVPN or those available from Verizon and AT&T, allows you to access your data through a secure connection no matter where you have Internet access. Note, though, that while traveling in certain countries, you may not want to take your work with you, even if you use a VPN.
Email & sharing files
I received an email from a bank recently with my client's full name and account number as the subject line. When I (immediately) called the sender to find out what they were thinking, they were surprised I accused them of doing anything wrong. I'm sure that person also attaches files to emails with client social security numbers and other sensitive information, or shares the same on flash drives or CDs. Let's hope everyone reading this knows never, ever include client information in an email. When sharing a file, send a password-protected link to the recipient. I use SafeSync for Business and can easily share a file or folder with a recipient, provide a unique password, make the link expire and even set the link for one-time use.
Clients should find electronic delivery of account statements to be a great benefit -- less mail, free online storage and one more way to prevent identity fraud. I hope that most advisers are encouraging their clients to embrace this approach, and request e-delivery for all financial correspondence and e-bill payment for recurring bills. An FBI agent once told me that identity fraud targeting mailboxes was so easy that"a red flag on the mailbox means a green light to identity thieves".
Bottom line: make sure you and your staff employ good information protection practices, and make sure your clients are part of the effort.
What do you think? What are some ways you are helping clients stay protected? Have any horror stories?
Dave O'Brien, CFP® is a NAPFA-Registered Financial Advisor in Richmond, Virginia and owner of O'Brien Financial Planning, Inc., a Fee-Only Registered Investment Adviser. Prior to launching his firm in 2006, Dave spent 18 years at GE where he managed information technology and operations teams in several industries.