The recent data breach involving Morgan Stanley Smith Barney LLC should serve as a warning to financial advisers that important steps need to be taken to improve the security of sensitive client information stored on CD-ROMs.
Personal information belonging to 34,000 investment clients of MSSB was lost, and possibly stolen, last month in the data breach. The data were saved on two CDs that were password-protected but not encrypted. This offers little protection against a determined, knowledgeable criminal.
The company mailed the CDs containing information about investors in tax-exempt funds and bonds to the New York State Department of Taxation and Finance. The package apparently was intact when it reached the department, but by the time it arrived on the desk of its intended recipient, the CDs were missing.
This incident should also serve as a reminder to advisers that data breaches can occur whether information is stored on a CD or DVD, on a USB memory stick or
portable hard drive, or if it's sent by e-mail.
That's why
encryption of data is essential.
PEACE OF MIND
Advisers need to make sure that desktop computers and laptops are encrypted and also require a password when booting up and when coming out of sleep mode. So aside from securing the devices with passwords, locking up the data with encryption will give you peace of mind and let you avoid having to notify your state attorney general's office of a breach. (An added layer of protection would be locking office computers to a desk or to the floor.)
Granted, this may seen tedious, but it's important to remember that desktop computers and laptops are in fact portable and are often stolen during break-ins.
While 45 states have laws that require the reporting of privacy breaches, only Massachusetts and Nevada require that encryption be used for the storage or transmission of a client's personal data. California could follow, based on proposed legislation.
What's more, the Financial Industry Regulatory Authority Inc. and the Securities and Exchange Commission don't require notification of privacy breaches by advisers or firms. However, a proposed amendment to the SEC's Regulation S-P would add this.
That proposed amendment, 17 CFR Part 248, “Privacy of Consumer Financial Information and Safeguarding Personal Information,” was published in March of 2008 and it is still pending. It is unclear if or when it will be finalized.
Although the use of encryption isn't mandated, advisers should still take steps to safeguard client data.
Matt Sarrel, a certified information systems security professional and founder of Sarrel Group, a private-network and information security consulting firm, suggests that advisers first consult their e-mail provider to discuss encryption options.
Many providers deliver such services themselves, often at an additional charge. Such offerings are sometimes their own, but often are provided by other more security-focused vendors.
There are product offerings from companies that cater specifically to financial services and investment advisory firms, including DataMotion Inc., Digital Info Security Co. Inc., Global Relay Communications Inc., LiveOffice LLC, Smarsh Inc. and Voltage Security Inc.
When using Smarsh, for example, an advisory firm can add smarshEncrypt, which was designed to work seamlessly with the archiving service. The solution is a hosted secure messaging platform that allows users to send and receive messages and files securely.
Administrators or compliance officers can set firmwide policies to ensure sensitive messages aren't sent without encryption. For example, an e-mail to a specific recipient or a message featuring specific content in the body or in the attachment can trigger delivery via smarshEncrypt. A message may also be encrypted manually.
The cost of the service ranges from $5 to $25 per user per month, depending on the size of the firm and any discounts for using other Smarsh services.
DataMotion SecureMail (from DataMotion Inc.), and Voltage SecureMail (from Voltage Security Inc.) are two other examples of dedicated premium encrypted e-mail services that advisers may want to look into for data security.
These solutions are a separate service that applies encryption on top of the e-mail system you already use.
The DataMotion product starts at $99 a year for a single license. The firm also offers a SecureMail Gateway product, which is a companywide system, the price of which depends on the number of users and several other parameters. Its products can be purchased either directly or through a value-added reseller or consultants.
Voltage SecureMail Cloud, Standard Edition, has business-oriented features — including policy management and key management — that start at $5,850 for 100 users per year.
It has become apparent that many advisory firms are migrating their on-premises e-mail to web-based or cloud-based providers.
Although prices may be higher in the short term, over the long term, advisers will save money by no longer having to buy hardware, renew licenses, apply security patches and updates, or keep consultants on retainer. You get the picture.
In addition, once services are in the cloud, layering on other cloud services — encryption, for example — often becomes less problematic.
Links to products and services discussed in this story:
DataMotion SecureMail
Global Relay
LiveOffice AdvisorMail
smarshEncrypt
Voltage SecureMail
Related stories:
Make sure all your data are safe; unencrypted portable devices can put your clients at risk
Making your systems more hacker-resistant
Encryption and protection of client data, SEC, Finra, Massachusetts and Nevada
Tech under the tree: Apricorn Aegis Padlock secure portable hard drive; TechnoStuff advisers can use
Data theft puts LPL clients at risk
E-mail Davis D. Janowski at djanowski@investmentnews.com.
