Make sure all your data are safe

Keeping client data safe has become even more important in light of all the sensitive information that is now being stored on portable devices.

Aside from sophisticated software solutions, here are three simple steps advisers can take to avoid finding themselves in the unenviable position of losing a client's unencrypted data.

First, password-protect and encrypt the portable communications devices that contain client information. This includes laptops, iPads and other tablet devices, as well as smart phones. You also need to make sure that you are disconnected automatically from online services for customer relationship management and portfolio accounting applications when the device you're using goes into automatic sleep mode or, in the case of laptops, when you close them.

Second, if you carry around other portable storage devices, stop using low-cost USB thumb drives and unencrypted portable hard drives. (I list some good alternatives later on in this column.)

Finally, be aware of the current regulatory environment.

Last week, Sen. John Kerry, D-Mass., and Sen. John McCain, R-Ariz., introduced a bill in Congress called the Commercial Privacy Bill of Rights Act of 2011.

Essentially, the bill is intended to create a framework for better protection of personal information of all Americans. It would require that those collecting personal information implemented security measures to protect against breaches.

Unfortunately, there is no shortage of security breaches.

To that point, a quick visit to DataBreaches.net, a website dedicated to security screw-ups, revealed that the Oklahoma State Department of Health has notified nearly 133,000 individuals that an agency laptop computer containing their names and other personal information was stolen from an OSDH employee's car last week.

Another example of a security breach was discovered last month when BP PLC disclosed that an employee had lost an unencrypted laptop containing personal data, including names, Social Security numbers and dates of birth belonging to about 13,000 residents who filed claims for compensation after the Gulf of Mexico oil spill.

The laptop was password-protected, but the information was not encrypted, a process that involves transforming information using algorithms to make the data unreadable to anyone other than those having a “key.”

Advisers can learn an important lesson from these examples.

Protecting client data will give you peace of mind, as sensitive data stored on portable devices that is encrypted is very difficult, if not impossible, to retrieve — other than by you.

Although they have not yet mandated encryption, the Financial Industry Regulatory Authority Inc. and the Securities and Exchange Commission suggest it as one way to safeguard client data.

The key here is for advisers to be proactive. Don't wait for Finra or the SEC to unveil safeguarding guidelines; take it upon yourself to safeguard client data properly on your portable devices.

Ironically, while encryption can be used to protect data, it can also be used to hide things — which is why some industry observers believe that regulators haven't made encryption mandatory, since it theoretically could make detecting fraud more difficult.

Meanwhile, some states believe that consumer protection trumps such reasoning. Privacy laws in Nevada and Massachusetts require the encryption of electronically stored or transmitted personal data.

PORTABLE STORAGE

As for portable storage devices, there are much more secure alternatives to the ubiquitous USB flash drives. Several of these alternatives, in fact, are just as portable and come in similar formats.

One such device is the Defender F200+ Bio Flash Drive, from Imation Corp., which I'm test-driving. It is a 4-gigabyte portable flash drive ($159 list; seven models available, from 1 gigabyte up to 64 GB) in a beefy housing that physically is twice the size of the typical USB throwaway thumb drive.

What makes this drive different is that, among other things, it supports two-factor authentication, meaning that it can be set to require both a password and a fingerprint scan to gain access. I have to admit, the built-in fingerprint scanner is very neat.

What's more, the device meets the Federal Information Processing Standards 140-2 Level 3 U.S. government security standard. That standard specifies requirements for cryptography modules, and the Level 3 part adds requirements for physical tampering resistance and identity-based authentication (the fingerprint scanner).

It also requires a physical or logical separation between the interfaces, which in simple terms means that each piece of the device, hardware and software should be tamper-resistant and that gaining access to one does not automatically provide access to another.

Another device worth looking at is the Apricorn Aegis Padlock, from Apricorn Inc. It is a secure portable hard drive that I first began evaluating a few months ago as part of a long-term test I am doing to back up important files.

I have the 756-gigabyte model, with a list price of $199, which, in addition to its real-time 256-bit or 128-bit hardware encryption (your choice) also features a configurable keypad for setting up your own PIN.

The Aegis tool is not quite as bleeding-edge as the Imation product (its encryption algorithm adheres to the FIPS 197 standard published in 2001) but is still very secure, easy to use and affordable. It was very simple to set up, requiring just a few minutes to change the default PIN to my own.

Otherwise, it works like any other portable USB hard drive that plugs into your computer and appears as an additional drive.

Visit the online version of this story to links to much of the above content, as well as links to our blog (InvestmentNews.com/technology) for more details on my user experiences and how I set up the Imation Defender product. You will also find links to the detailed review of the Aegis Apricorn.

E-mail Davis D. Janowski at [email protected].

Related Topics: Compliance, Document Management, Tech Directory, Technology Update