I was home recuperating from surgery last year when I tuned onto the Rosie O'Donnell show. Rosie's guests showed up one by one, with a toy, a T-shirt or their latest music CD, signed their name on the item and handed it to Rosie to auction on eBay. The proceeds benefited her charity. I was fascinated, ran to my computer and linked to eBay. From the first time I visited, I was hooked.
There is plenty of stuff to pick through, and if something appeals to you, you just type in what you are willing to pay for it and wait out the number of days until the auction ends. It's sort of an international garage sale, and you don't even have to leave the house. It really can get exciting if you get into a bidding war.
But it's not the auction that truly amazes me, it's the unquestionable trust we must have that compels us to pay for items, fully expecting that the sellers will send them to us after they've been paid. Even more fascinating is the familiarity we all instantly fall into as we e-mail total strangers about our transactions.
The total trust and familiarity are baffling. "Hey, Betty," I write to some unknown person in New Zealand, "I just won the bone china set. Tell me how much the shipping will be, and I will put it on PayPal."
PayPal is another interesting phenomenon. Otherwise rational people sign up to put their credit cards and checking account numbers on this site so that they can pay instantly for the goods, thereby getting their "new" stuff within a couple days. I don't know who owns PayPal, I don't know exactly what the protection procedures are, but I do know that my personal information is sitting there, protected from my end by a password that my 6-year-old nephew could probably figure out.
This brings me to the subject of privacy. The Graham-Leach-Bliley Act of 1999 requires that financial institutions and advisors issue a privacy-policy statement, enumerating the various ways that we as advisors protect our clients' private information. We have to report how we handle nonpublic personal information, information disclosure to third parties, information we provide to our service providers and joint-marketing partners and disclosures of information about former customers. We also must report how we continually preserve and protect the confidentiality of our current customer base. There are tons of places to get information on this. The Financial Planning Association issued a "tool kit" to walk you through the preparation of this disclosure form. (By the way, if you do not have this kit, it is worth the price of membership to get it. Call (800) 322-4237 or visit the FPA Web site at www.fpanet.org )
Filling out the form itself is the least of our problems. One of my colleagues tells me that his clients give him the passwords to all their bank accounts and other brokerage accounts so that he can provide full reporting. He doesn't use aggregation software, but manually enters clients' data to Centerpiece. "How can I do less?" he asks. "I'm a financial planner, and I should deal with all of my client's issues, not just the assets he's entrusted to me to actively manage."
There's no question in my mind that account aggregation on a grand scale is where we are all going. In fact, my firm has just formed a relationship with the company By All Accounts (www.byallaccounts.com). Soon, we will be able to provide not only account aggregation, but also dynamic cash-flow and net-worth statements. Wow! Now, what does this mean in the world of privacy?
There's a twofold problem here. First, as advisors, we are accepting responsibility for very confidential information, and not just accepting it, we are entrusted with it by our clients so that we can make their lives easier and save them time. The safeguarding of their privacy has been delegated to us. We, in turn, have to entrust our information to various third parties that provide software and other tools and Internet arrangements for us to operate our businesses. What do we really know about these people, and how can we assure ourselves, and thus our clients, that we actually can live up to those fancy privacy documents that we distribute?
A couple of months ago, our firm was testing some great financial planning software. Since it is collaborative software, we signed up. We then were able to sign up various clients, allowing them to complete the data entry or, at the very least, refine the data that we had entered for them. One afternoon, our intern signed on as a new individual so that he could begin to enter information on a new client at this site. As he picked through the names listed, he noticed that he could simply click on any name and bring up his or her data file. He recognized the names of half these people, but half he'd never heard of before. We were being allowed to view anybody who put data in there. We immediately called the software developer to report this issue. The developer already was aware of the problem.
"It's a quick fix," he assured us. "We're still in the developmental process, and we make changes like these on a daily basis." Of course, we already had told our clients that they were participating in a testing phase, but we learned we need to know specifically how data is treated in every instance, even when it's in beta.
Our second problem as advisors is that as we feel our way along the issues of privacy, we also must acknowledge that our clients also are consumers and independently access many Web sites. Their individual use of Internet access compounds our ability to protect them at certain levels. Many sites drop a "cookie" onto your disk when you visit. That cookie can tell a lot about you as a consumer, as well as control your access to different aspects of a site you've visited. I was speaking with a Webmaster of a financial planning site recently and asked her how she controls the message boards and chat rooms. "First, I read everything, which is a big job in itself. But then when I begin to find a pattern of behavior that is unacceptable to us, I can drop a cookie on the offender's site, and unless he gets a new computer, he won't be able to (and won't know why he cannot) log on to different places on our site."
As account aggregation becomes an increasingly important part of our client-support system, we will need to make serious decisions about our capabilities to protect clients' information. This information is surely personal property and worth a great deal in the marketplace. We have no idea how valuable information can be in the way of buying habits, product recognition and use, as well pricing and access to service.
For example, a few months ago, a fellow Rotary member, who is a genetic scientist, was explaining the impact of his research on our daily lives. He was particularly concerned about how dangerous certain private, yet seemingly inconsequential, knowledge is in the marketplace. For example, he says he has a genetic tendency toward hangnails. We all agreed that the knowledge of his hangnails has very little value in the scheme of things. However, he tells us that with this information, an insurer could anticipate that he will be prone to certain diseases that can be transmitted through the open skin on his hands, a situation that would ultimately result in that insurer rating his health coverage, costing him more money.
The terrorist attacks on the United States on September 11 brought the issue of privacy into different focus. Many people watched the debris floating down from the World Trade Center collapse and could not help thinking, along with grieving for victims, that perhaps some of that floating debris may just be their private financial information. Companies like Morgan Stanley scrambled to assure America that their data was safe. But, our perspective on "safe" has changed. It was interesting that as we called our clients the day after the attacks, their privacy and data protection was questioned before the current value of their portfolios.
The information that clients share with us on a purely private basis can result in a liability exposure that we have not considered. We wouldn't let a client drop a fully-executed stock certificate on our desks at the office, yet we have no qualms about collecting data on him that is perhaps even more valuable in the right hands. Douglas Neal and Nicholas Morgan in the Autumn 2000 issue of Wilson Quarterly proposed that the personal data of an individual is their personal property. "A large part of the threat to privacy today arises from the fact that in an increasingly networked world, data about individuals-everything from their age and sex to their buying habits-have increasing monetary value."
Their theory is that since this information is so valuable, organizations, charities and others interested in that raw data should pay the consumer for it. They maintain that advisors like us would be the natural third parties who would be trusted by both purchasers and consumers. Since we have extensive experience in handling sensitive data anyway, we would be able to manage these relationships effectively for the financial benefit of our clients. Imagine being an information broker for your clients, along with the other services that you provide for them. When marketers call your clients, you'd get the calls and set a price for them to talk with your clients. No pay, no access. It may sound silly now, but the fact is, you are sitting on information that many people in the marketplace would love to have and would be willing to pay for.
To me, it is patently clear that we must take the issues of privacy much more seriously and with more paranoia than we ever have before. We must educate our clients that protection of their data is a joint effort. We need to share our direct-line knowledge, supplying information regarding the "black hole" of the Internet where they leave their names, credit card numbers, social security numbers and even preferences about their world. We need to ensure that those we have selected to share joint responsibility in the care of our clients' data fully understand and respect the importance of their role. We also need to understand what steps they are taking to safeguard that data. Finally, we need to encourage our clients to notify us of any actions that they personally take that may affect their ability to protect their own privacy. The more aware our clients are of the privacy risks lurking in the real world, the better we can educate, advise and support them in the protection of their privacy.
Deena Katz, CFP, is a partner in Evensky, Brown & Katz in Coral Gables, Fla.