National and state securities regulators disagree over the use of encryption in storing and communicating client information.
The Financial Industry Regulatory Authority Inc. and the Securities and Exchange Commission oppose some types of encryption out of fear that it will make compliance enforcement difficult.
By contrast, three states — Connecticut, Massachusetts and Nevada — have stringent requirements that regulate the security of personal information that is stored electronically or e-mailed.
The Connecticut and Nevada laws went into effect Oct. 1, with the Massachusetts law slated to kick in next year.
However, the idea that each state could require encryption, creating a fragmented regulatory structure, does not sit well with everyone.
'DOESN'T MAKE SENSE'
"The data security needs of all types of consumers just don't vary from state to state in any significant fashion that I can think of, and as a result, it doesn't make sense to me that there be unique requirements in each individual state," said David T. Bellaire, general counsel and director of government affairs with the Atlanta-based Financial Services Institute Inc.
A plethora of state laws would only add confusion and inefficiency, he said, adding that what is needed are national standards.
Calls to Finra had not been returned by press time, and an SEC spokesman declined to comment.
Many financial advisers, especially independents, are unprepared to comply with state laws that require them to provide high levels of protection for personal data. In the case of the Nevada and Massachusetts laws, encryption of personal client data is required, said Barry Schwartz, a consultant with ACA Compliance Group of Boca Raton, Fla.
Cadaret Grant & Co. Inc.'s approach to encryption was to license an online repository or vault that lets them upload and store data rather than transmitting it, said Marypat Ganley, director of business development for the Syracuse, N.Y.-based independent-contractor brokerage firm. A client logs on to the repository via a secure link and signs on to view his or her accounts.
The firm relies on a software add-on to enable it to transmit client data between itself and its business partners.
"Basically anything we'd be providing on our website, or through our technology platform, we are using an encrypted file transfer protocol for moving [those] data," Ms. Ganley said. "As far as [registered representatives'] communications with clients, there are not a lot of reps e-mailing personal information or even statements," she said.
At least one firm turned to encryption to ensure it was in compliance with state law.
"We've already encrypted stuff that's in transit, and we've been doing that for a while," referring to the Nevada law, said Michael Sundberg, director of information security at Commonwealth Financial Network, an independent broker-dealer based in Waltham, Mass. Complicating the issue for the firm is that 19% of its accounts are held in Massachusetts, he said.
Its law is challenging because it covers portable hard drives and inexpensive USB memory devices and other hardware.
For most advisers, the easiest course would be to avoid using the devices for work, and avoid traveling with them, Mr. Sundberg said.
"Laptops, on the other hand, can be encrypted fairly easily these days," he said, adding that manufacturers such as Dell Inc. offer it as a feature on many models.
To be sure, the consequences for failing to protect clients' personal data are severe.
For instance, LPL Financial of Boston paid a $275,000 fine in September to settle an SEC enforcement action charging that the firm failed to protect customer information adequately.
In addition, a 2007 study by the Ponemon Institute LLC of Traverse City, Mich., determined that the loss of customer records costs $197 per record, and the average business loss for a large organization that suffers a data breach is $4.1 million.
Moreover, encryption can prevent employees or former employees from selling client data.
"With a recession coming, and with the growth in the secondary markets for this data in Eastern Europe, China and other places, prices are going up for information" that a former employee steals and sells, said Jon Neiditz, an attorney with Nelson Mullins Riley & Scarborough LLP in Atlanta.
Forty-five states now have breach notification laws aimed at protecting consumers. These laws require prompt determination of who is, or could be, affected by a breach. Victims as well as Finra and the SEC are entitled to prompt notification in writing.
There are several areas in which advisers need to be vigilant to prevent breaches, Mr. Sundberg said.
The most common breaches are a lost or stolen laptop, an office break-in or unencrypted data lost in transit, such as backup tapes or external hard drives, he said.
Other vulnerabilities are flash drives, improper storage and disposal of paper documents, as well as the theft of user names and passwords through phishing spyware or keystroke-logging software.
For now, firms will have to apply the regulations to clients based on the state in which they live.
That because "the states and the SEC haven't sat down to try and work out what's best for everyone," said Kristina McCabe, operations officer for Schultz Financial Group Inc., a Reno, Nev.-based firm with $160 million in assets under management,
The firm is setting up a secure web portal for clients to access their accounts, and it is not using e-mail to transmit personal data.
"Our challenge is when the SEC comes in to conduct an audit, they want our e-mail to be viewable, but if we adhere to Nevada law, that's not going to be the case, especially with archived e-mail," Ms. McCabe said.
E-mail Davis D. Janowski at [email protected].
