Encryption is key to keeping client data safe from thieves
Recent reports of the theft of an LPL Financial adviser's unencrypted portable hard drive should make advisers pause and consider how they keep their clients' data safe.
Recent reports of the theft of an LPL Financial adviser’s unencrypted portable hard drive should make advisers pause and consider how they keep their clients’ data safe.
While not mandated, the Financial Industry Regulatory Authority Inc. and the Securities and Exchange Commission suggest encryption as one way to safeguard client data.
Encryption entails using a confidential process or key to unlock data and make it meaningful again. Ironically, while encryption can be used to protect data, it can also be used to hide things — which is why some industry observers believe that regulators haven’t made encryption mandatory, since it could theoretically make detecting fraud more difficult.
On the state regulatory level, however, encryption has its fans. Privacy laws in Nevada and Massachusetts require the encryption of electronically stored or transmitted personal data.
The Nevada law, passed in 2008 and recently expanded, protects personal information that is stored or transmitted by businesses and just about any other type of organization.
The provision in the Massachusetts law is broader and applies to all persons that own or license personal information about a resident of the state. That law requires the encryption of all transmitted records and files containing personal information, whether that transmission is over a wired or wireless public network.
Other states are likely to follow suit if the federal government doesn’t step in first.
As for protecting client data, it goes without saying — but I am saying it anyway — that at a minimum, advisers must always use up-to-date anti-virus software and computer firewalls.
Next step: Be careful. The most common security breaches, according to technology experts, occur when laptops are lost or stolen, when offices are broken into and computers are stolen, and when backup tapes and external hard drives are lost in transit.
Other vulnerabilities involve lost or stolen flash drives; the theft of user names and passwords through phishing spyware, keystroke-logging software or other malicious computer code picked up on the Internet; and the use of laptops and wireless networks that lack Wi-Fi encryption.
Of course, the improper storage and disposal of paper documents also remain potential security threats.
Simply put, advisers can go a long way toward protecting client data by using encryption.
“I recommend that all laptops, external hard drives, USB thumb drives and smart phones be encrypted to protect non-public client data,” said Cindi Hill, a certified financial planner and founder of Hill Financial Advisors.
“The password should be at least eight characters long and include upper[case] and lowercase letters, numbers and symbols, if possible,” said Ms. Hill, who is also a consultant to advisers who need help getting set up and trained in using compliance software.
Advisers anxious about encryption should remember that it is nothing new. In fact, encryption is common practice in other highly regulated industries, including health care.
“I’ve been encrypting data for more than 25 years in my practice as a consultant, which has been across a variety of settings, such as medical practices, hedge funds, financial advisory firms and small businesses,” said Matt Sarrel, executive director of Sarrel Group, a network and information security consulting firm. “It’s more important than ever to do this, now that everyone carries data around with them.”
For advisers who need a portable device, there are several to choose from that support encryption.
One is the JumpDrive Safe S3000 FIPS, a smart USB thumb drive from Lexar Media Inc., which Mr. Sarrel recently reviewed for the enterprise technology publication eWeek.com.
The Lexar device is the first to use USB flash memory combined with a smart card for authentication. It doesn’t come cheap; a two-gigabyte model costs $99.
BlockMaster AB and IronKey Inc. offer similar devices, some with remote-management software tools.
When you are away from your regular Internet connections, make sure that you are using only secure connections on Wi-Fi networks. If you are using a wireless router or access point that is more than five years old and relies on wired equivalent privacy, check your settings to make sure that you are actually using WEP.
Newer hardware uses Wi-Fi-protected access — also known as WPA — that is more secure than WEP. But it too must be turned on to do any good.
Because larger organizations will find it problematic and impractical to secure individual machines one at a time, Mr. Sarrel suggests that they look at some type of centralized management system that would give them the ability to remotely “wipe” a stolen device.
That is the approach being taken by Ameritas Investment Corp., a dually registered broker-dealer and investment adviser.
Despite push-back from advisers, Micah McCann, the firm’s technology manager, has arranged for a third-party company to monitor and maintain the computers of a handful of advisers on a pilot basis.
The outside firm, Fiberlink Communications Corp., provides a small application that advisers download onto their computers that in turn allows Ameritas to monitor their PCs.
The plan is to roll out the system to all 1,700 Ameritas advisers in the coming months.
“The idea is that we will be able to tell if someone doesn’t have their anti-virus updated or that their firewall settings are up to our standards,” Mr. McCann said. “Ultimately, this is an added service that can provide a lot of value to the field force.”
Ameritas did have to make compromises, Mr. McCann said. For example, the company doesn’t have access to an adviser’s data files or to personal files such as photos or their browsing history.
The cost for the service is $1 per device monitored per month.
(Visit the online version of this story for links to the regulatory notices, companies, products and technologies mentioned in this story. Also, visit my blog, InvestmentNews.com/technology, for updates related to topics covered in this story.)
E-mail Davis D. Janowski at [email protected].
Related stories:
Torture testing of some USB memory devices
Learn more about reprints and licensing for this article.
