2. Staff training. Find out what programs are in place to teach staff the importance of protecting client privacy.

3. E-mail encryption and communication protocols. What policies do your external service providers have in place to protect electronic information? Are you accessing or receiving account information in a secure manner? Who is following the chain of control over your client's private and confidential information?

4. Due diligence of vendors. Find out what your provider does in order to ensure that its vendors are operating in a sound and secure manner. If the vendors have your private information, you are entitled to know this.

5. Industry certifications. Does your service provider maintain any industry certifications that demonstrate, to an independent reviewer, that they are operating in a sound and secure manner?  

6. References. Talk to other SFOs and industry colleagues that have had experiences with your service providers. Check with industry groups that rate service providers.

7. What do they outsource? Find out what tasks your service providers outsource and to whom they are outsourced. You will likely be surprised that your service provider has a number of other firms that have your private information.

Internal Technology
Internal technology, including computer hardware, software, the Internet and portable devices, requires extensive security measures to protect clients' privacy and confidentiality. These are the potential vulnerabilities that should be addressed:

1. Laptop/portable device security. Laptops, PDAs and cell phones all contain private and confidential information and these devices must be considered vital assets that need to be safeguarded.  Consequently, all mobile devices should be password protected and security procedures should be in place in case a device is lost or stolen.  

2.  E-mail encryption policy. SFOs should have an e-mail policy in place that includes message encryption. Encryption software will convert sensitive information such as passwords, names, identification numbers and account numbers into "unintelligent information." This, together with good internal policy regarding the use of e-mail, will help protect a family's privacy and confidentiality.

3. Internet access policy. SFOs should have an Internet access policy in place that requires access only through an approved firewall and/or an approved Internet service provider. Financial transactions and other messages that include account numbers and other personal information should not be sent over the Internet unless they have first been encrypted. Software downloads over the Internet should be for business-related needs from trusted, well-known business partners. Staff should be prohibited from downloading music, videos or other applications for personal use.