In this age of malicious software embedded in Web sites and spam e-mail, of e-mail phishing and identity theft, of electronic eavesdropping, computer viruses and other means of stealing information, it should seem obvious to most financial advisors that taking steps to protect client and firm data would be warranted. Yet many firms still do not take these threats seriously, leaving information openly accessible to anyone who happens to wander by.
Let's take one case in point. An advisor welcomes clients into his office for a meeting, rather than a conference room. On his desk are piled a bunch of client files, including those of clients other than those seated in front of him. He steps out of the room for a moment to retrieve some papers and the client glances at the files spread out on the desk. While this may seem to be an entirely innocent situation, it demonstrates the vulnerability of financial advisors who are simply too busy to notice such details. Most of us "trust" that our clients are honest. But, the requirements of Regulation S-P of the Gramm-Leach-Bliley Act are oblivious to the "honesty of a snooping person."
This regulation (http://www.sec.gov/rules/final/34-42974.htm#P458_181230) generally requires each broker-dealer, investment company and investment advisor to:
Provide each of its customers with a notice of its privacy policies and practices at the time of establishing the customer relationship (the initial notice) and annually thereafter (the annual notice);
Provide each of its consumers (who have not yet become customers) with an initial notice before disclosing nonpublic personal information about that consumer to a nonaffiliated third party;
Refrain from sharing nonpublic personal information about a consumer with a nonaffiliated third party unless the institution has provided the consumer with an initial notice and an additional notice describing the activity and the consumer's right to prevent it (the opt-out notice); and
Perhaps most important, adopt policies and procedures reasonably designed to: (a) ensure the security and confidentiality of customer records and information; (b) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (c) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
So taking reasonable steps to protect private information is clearly mandated by federal regulations and, frankly, is simply a good practice to pursue. This raises the question, though, about what the reasonable steps should be. What if there was a firm with a large office that had a separate file room. Say the file room is lockable, but it is never locked because the building's cleaning crew needs access so it can empty the trash and clean the floors. The individual file cabinets chosen for this particular office are not individually lockable (though they could be adapted). It probably does not matter anyway, as several files are likely found lying around on work counters in the room. In other offices of this firm, client files are strewn on desks and even stacked on the floor. These are referred to as "working files."
Though these offices could be locked, the cleaning crew, building maintenance and perhaps even former employees have keys. The office has not been "re-keyed" in years. You might be thinking that this is an extreme example of a firm with lax security, but it is not. This is typical for offices I have visited as a consultant over the years.
This example points out one reasonable step you can take-to protect client files by putting them away at the end of each day in a secure, locked environment that cannot be accessed by unauthorized personnel. (Having electronic files-"paperless solutions"-offers even more security for this information and reduces or eliminates the problem of open files lying around.)
I also recently encountered a firm that used a company business Visa credit card account for its purchases, frequently those made by the office manager for items such as office supplies, etc. Rather than bother the owner of the firm with a request for the card number, expiration date and security code, the office manager wrote this information down on a Post-it note and stuck it in an open drawer. This is an open invitation to anyone who has access to the office to steal that information. Though such credit card purchases, if illegal, can usually be reversed, it is the aggravation and time wasted in correcting a situation that eats into the financial advisory firm's profits. (See the March 2008 Financial Advisor for an article by David Drucker on identity theft.)
Yet a third problem involves the storage of user IDs and passwords to secure Web sites where client information can be found. Many firms simply write these down on a piece of paper or store them in a Microsoft Word document. Access is sometimes difficult as the IDs may not be in alphabetical order. And by leaving such a list out in the open (at one firm I visited, the list was tacked on a corkboard in the workroom of an office), you invite unauthorized access and the potential theft of client financial information.
These last two problems could be solved by using a secure, encrypted and password-protected password storage software program. Such programs can store not only user IDs and passwords, but also credit card information, protected files and other information. There are many of these types of software out there. One in particular is TK8 Safe (www.tk8.com), which can do all of these things as well as auto-link to a site and auto-type features to make logging in fast and easy. TK8 has two versions, a standard one and a professional version that can be used in a networked environment with multiple users and varying access levels.
Firms should be careful, though, to ensure that employees only use this type of software for firm-related business. Staffers that would be tempted to add their own bank accounts, credit cards or Web site logins could open up the firm to risk, especially in the event of an audit by the SEC or FINRA. The personal version of the software is only $19.95, so employees may wish to consider purchasing that one for home use.