Vendors need to be held to a higher standard on privacy

Not that long ago, keeping clients’ data secure was easy. It merely required a lock and key. Now, with third-party providers, remote access and the use of internet platforms, keeping clients’ personally identifiable information private is much more complicated — and vulnerable.

As cyber breaches occur on a regular basis (for example, Equifax, Yahoo, Marriott and Redtail), the risk to client data is increasing.

(More: Redtail isn’t the only firm with cybersecurity issues)

Beyond data theft, we must determine how personal and financial data is used by third-party vendors. Are those third parties sharing information with their affiliated companies or profiting by selling it to others?

As advisers, we must be informed about the policies, procedures and culture of every person and entity that has access to client data. In fact, I believe it is our fiduciary duty.

A recent New York Times series on privacy noted that “platforms are under no obligation to protect user privacy. They are free to directly monetize the information they gather by selling it to the highest bidder.”

(More: Ask these cybersecurity questions)

Data privacy is described in vendors’ privacy policies. Yet how many of us actually read them? Some are very straightforward, while others are not. Envestnet Tamarac, one of the industry’s leading providers, will not only share aggregated data with outside companies, it will also share your contact information and sell client results through its aggregator entity to others.

Here’s an example: Envestnet Tamarac “collects information about you … information included on your Client Profile and related forms — such as name, address, Social Security number, date of birth, assets and income — along with personal information about your account activity, including your transactions, balances, positions and history. For financial professionals utilizing our technology platform, [the firm] may make available your business contact information and information regarding the use of their investment strategies to third-party investment managers and exchange-traded funds, mutual funds, and similar investment vehicles.”

So is your client data truly private and secure? Does it matter to you? To your clients? At what point will you discontinue doing business with a provider? Is sharing information with affiliated companies for marketing purposes OK? How about for joint marketing with non-related financial companies? Is it OK for your provider to distribute or sell “aggregated data?”

I believe advisers need to update internal policies about what we consider to be permissible use of our clients’ data. For me, the line stops at anything beyond sharing information with corporate affiliates for marketing purposes. It is up to us to collectively take a stand to bring the changes our clients and our businesses deserve.

(More: 10 trends in cybersecurity you need to know)​

We should perform due diligence on all providers, including custodians, software and back-office services. I suggest utilizing a checklist addressing business continuity plans, compliance documentation, privacy policies, cybersecurity protections, background checks on employees and more.

Finally, clients are hearing about — and experiencing — cybercrime, data breaches and invasions of privacy. One thing is universally true: Clients are concerned. Telling your clients how you protect their data is not only important, it can help build trust and enhance client relationships So please take this approach — you’ll be glad you did.

(More: 4 top surprises from the new tax law)

Sheryl Rowling is head of rebalancing solutions at Morningstar Inc. and principal at Rowling & Associates.