Morgan Stanley Smith Barney data theft — yet another reason for advisers to adopt encryption

My favorite-blog-post-title-of-the-year-so-far award goes to Adam Levin, founder and chairman of Credit.com: <a href="//www.credit.com/blog/2011/07/the-morgan-stanley-smith-barney-breach-losing-client-data-the-old-fashioned-way/&quot;" target="&#8221;_blank&#8221;" rel="noopener noreferrer">The Morgan Stanley Smith Barney Breach: Losing Client Data the Old Fashioned Way</a>. Actually, I'm not sure if it is a blog or a true news site, regardless, it is not the typical news outlet you would expect for such a large story.
JUL 07, 2011
My favorite-blog-post-title-of-the-year-so-far award goes to Adam Levin, founder and chairman of Credit.com: The Morgan Stanley Smith Barney Breach: Losing Client Data the Old Fashioned Way. Actually, I'm not sure if it is a blog or a true news site, regardless, it is not the typical news outlet you would expect for such a large story. I enjoyed ferreting out the lineage of this story, first our Bloomberg News feed then back to Credit.com and their news story and in turn back to the column there on 5 July by Mr. Levin (it was a friend of his who had accounts at MSSB that had received letters from the firm warning of what had happened who passed the information along). What Mr. Levin had to say is worth the read for sure, though you can pick up on the newsy details quickly from the story on our home page right now. In the briefest of nutshells, two compact discs containing information, some of it personal, about 34,000 MSSB customers went missing while in transit from the brokerage to the New York State Department of Taxation and Finance. For my purposes here, the most important points are that A) the two disks were only password protected — not encrypted and B) if the scenario laid out in the various articles proves true it was an inside job of sorts, someone that physically had handled the parcel along the way that took the disks — not a foreign hacker or boogeyman. That first point was made by Mr. Levin in his piece and worth repeating over and over, encryption can be a financial services professional's best friend when it comes to loss of data because such data becomes, for all practical purposes, useless to the thief. Most passwords simply are not strong enough to stand as a singular defense — crackers (thieves specializing in various forms of data theft) have access to programs that can cycle through lists of words and combinations of words and their derivatives of upper and lower case letters and other characters to eventually decipher a password if they want to get at the data badly enough. [Ironic note of the day: Just yesterday Peter Herzog, senior software and systems specialist with the financial services technology consulting firm ActiFi Inc. sent along a link to this nifty password tool from Gibson Research, thanks Peter]. I raise point “B” because so much of our attention these days goes to breaches of domestic company data from points overseas when in reality the bulk of data theft incidents remain domestic and the result of theft from inside an organization. Getting back to breaches themselves and encryption though, forty-five states have laws that require the reporting of privacy breaches, mostly to their respective attorneys general. Massachusetts and Nevada require that encryption be used for the storage or transmission of a client's personal data. Neither the Financial Industry Regulatory Authority Inc. nor the Securities and Exchange Commission require notification of privacy breaches by advisers or firms, though a proposed amendment to the SEC's Regulation S-P would add this. That proposed amendment, 17 CFR Part 248, “Privacy of Consumer Financial Information and Safeguarding Personal Information,” was published in March of 2008 but remains pending. It is unclear when it will be finalized. Both bodies recommend — but don't mandate — the use of encryption to protect client personal data. There is lots of other good information to be had in the related stories below. Related stories: Make sure all your data are safe; unencrypted portable devices can put your clients at risk Making your systems more hacker-resistant Encryption and protection of client data, SEC, Finra, Massachusetts and Nevada Tech under the tree: Apricorn Aegis Padlock secure portable hard drive; TechnoStuff advisers can use Data theft puts LPL clients at risk

Latest News

Names of more B-Ds that sold deals of bankrupt Inspired Healthcare surface
Names of more B-Ds that sold deals of bankrupt Inspired Healthcare surface

Broker-dealers that sold the defunct securities backed by Inspired Healthcare generated more than $100 million in fees and commissions.

MetLife poll finds high-value home sales are becoming tax-planning events
MetLife poll finds high-value home sales are becoming tax-planning events

A new MetLife survey finds real estate professionals are increasingly steering clients toward tax experts as rising property values leave more sellers facing significant capital gains.

Kestra adds Raymond James recruiter to expand advisor hiring push
Kestra adds Raymond James recruiter to expand advisor hiring push

The independent broker-dealer expands its business development bench with a new recruiter and an internal promotion in the West.

Cerity Partners names Will Peng chief innovation officer
Cerity Partners names Will Peng chief innovation officer

The leading ultra-high-net-worth RIA joins other large wealth firms, including Raymond James and LPL, in creating executive roles focused on artificial intelligence strategy

SPONSORED Who builds the income when the pension disappears?

Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income

SPONSORED Why direct indexing stopped being optional

Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.