My favorite-blog-post-title-of-the-year-so-far award goes to Adam Levin, founder and chairman of Credit.com:
The Morgan Stanley Smith Barney Breach: Losing Client Data the Old Fashioned Way. Actually, I'm not sure if it is a blog or a true news site, regardless, it is not the typical news outlet you would expect for such a large story.
I enjoyed ferreting out the lineage of this story, first our Bloomberg News feed then back to Credit.com and their news story and in turn back to the column there on 5 July by Mr. Levin (it was a friend of his who had accounts at MSSB that had received letters from the firm warning of what had happened who passed the information along).
What Mr. Levin had to say is worth the read for sure, though you can pick up on the newsy details quickly from the
story on our home page right now.
In the briefest of nutshells, two compact discs containing information, some of it personal, about 34,000 MSSB customers went missing while in transit from the brokerage to the New York State Department of Taxation and Finance.
For my purposes here, the most important points are that
A) the two disks were only password protected — not encrypted and
B) if the scenario laid out in the various articles proves true it was an inside job of sorts, someone that physically had handled the parcel along the way that took the disks — not a foreign hacker or boogeyman.
That first point was made by Mr. Levin in his piece and worth repeating over and over, encryption can be a financial services professional's best friend when it comes to loss of data because such data becomes, for all practical purposes, useless to the thief.
Most passwords simply are not strong enough to stand as a singular defense — crackers (thieves specializing in various forms of data theft) have access to programs that can cycle through lists of words and combinations of words and their derivatives of upper and lower case letters and other characters to eventually decipher a password if they want to get at the data badly enough. [Ironic note of the day: Just yesterday Peter Herzog, senior software and systems specialist with the financial services technology consulting firm ActiFi Inc. sent along a link to this nifty password tool from
Gibson Research, thanks Peter].
I raise point “B” because so much of our attention these days goes to breaches of domestic company data from points overseas when in reality the bulk of data theft incidents remain domestic and the result of theft from inside an organization.
Getting back to breaches themselves and encryption though, forty-five states have laws that require the reporting of privacy breaches, mostly to their respective attorneys general.
Massachusetts and Nevada require that encryption be used for the storage or transmission of a client's personal data.
Neither the Financial Industry Regulatory Authority Inc. nor the Securities and Exchange Commission require notification of privacy breaches by advisers or firms, though a proposed amendment to the SEC's Regulation S-P would add this.
That proposed amendment, 17 CFR Part 248, “Privacy of Consumer Financial Information and Safeguarding Personal Information,” was published in March of 2008 but remains pending. It is unclear when it will be finalized.
Both bodies recommend — but don't mandate — the use of encryption to protect client personal data.
There is lots of other good information to be had in the related stories below.
Related stories:
Make sure all your data are safe; unencrypted portable devices can put your clients at risk
Making your systems more hacker-resistant
Encryption and protection of client data, SEC, Finra, Massachusetts and Nevada
Tech under the tree: Apricorn Aegis Padlock secure portable hard drive; TechnoStuff advisers can use
Data theft puts LPL clients at risk
