Is Your Client's Private Info Secure?
A new Massachusetts law aimed at protecting personal information went into effect last month and could ultimately require financial advisors to boost their security measures to protect client data.
The law, Massachusetts 201 CMR 17.00, establishes minimum standards for safeguarding personal information contained in both paper and electronic records. The law applies to any business or entity that owns or licenses, receives, stores, maintains, processes or otherwise has access to personal information.
And that includes any broker-dealer or RIA with one or more clients in Massachusetts. "The law deals with issues our industry has been skirting for the past couple of years such as personal privacy, encryption and processes," says Joel Bruckenstein, an industry consultant on technology issues. "My opinion is they'll serve as a template for the rest of the country."
Some advisory firms have taken action, and plan to take more action down the road. Securities America Inc., for example, has rolled out technology solutions for its reps with Massachusetts clients. "We have plans to roll it out to all of our reps in a second phase later this year," says Kevin Miller, Securities America's chief compliance officer.
According to the law, personal information is defined as a person's first and last names, or first initial and last name in combination with any one or more of the following: Social Security number; driver's license or state-issued ID card numbers; financial account numbers; and credit or debit card numbers.
Among other things, the law requires entities that control personal information to designate one or more persons to oversee a comprehensive security program; identify foreseeable internal and external security risks; devise policies regarding employee access to client personal information outside the business premises; and have reasonable restrictions for physically accessing records.
In addition, companies must secure user IDs and other identifiers, and have a reasonably secure method of assigning and selecting passwords or else using identifier technologies such as biometrics or token devices. They must also restrict access to records and files containing personal information only to those who need that information, assign unique identifications plus passwords that aren't vendor-supplied default passwords, and encrypt all transmitted records containing personal information that travel across public networks.
And there's much more. The maximum fine per violation is $5,000.
In practical terms, the law means affected advisors will have to do a lot more encryption, be more creative and vigilant about passwords, and even carefully vet the people who clean the office.
"Potentially there's personal information in both an e-mail and an attachment, so both need to be encrypted," says Warren Mackensen, a certified financial planner in Hampton, N.H., and president of Pro Tracker Software, a provider of practice management software for financial planners.
Mackensen says people need to put more thought into creating passwords because hackers using software readily available online can quickly crack simple password codes of fewer than eight digits.