We read about all the large data lapses in the news—credit card info for thousands of TJ Maxx customers stolen, Countrywide losing mortgage application data for thousands of people, etc. Unless you’ve actually been a victim or know one, it sounds scary—but a rather distant problem. The issue hits closer to advisors when a brand-name financial services company loses a disk or suffers a data hijacking.
On a much more personal scale, however, what would a data leak do to your practice? If a hacker breaks into your data files or if you lose a laptop at the airport (where over 10,000 laptops are lost or stolen each week, according to the Ponemon Institute), it wouldn’t be just the local police or FBI that would be notified. Every current or former client who had one single bit of data in your files would need to be contacted and alerted to what happened.
All of the work you invested in relationships to build trust could be jeopardized by a hacker breaking into your files—or someone in your firm leaving a laptop unattended for a minute while using the free Wi-Fi at Starbucks.
While trust is the heart of client relationships, for those who work with high-net-worth and ultra-high-net-worth clients, the stakes are even greater and that trust even harder to earn given that the complexity of the wealth holdings can have implications for extended family members, multiple generations, and even partners and employees if a business is on the list of assets.
When an advisor participates in an advanced planning team, all members must earn the trust of each other—and the client. If one member does something to have others question his trust, the reputation of the whole team is an issue—especially in the eyes of the client. When it comes to protecting the personal information of clients, even a small lapse or loss can force hundreds of clients to question their relationship with the advisor.
Data At Risk
The threats to client data come in many guises, according to Perimeter, a security consultant. Hackers breaking into data systems are the leading cause of incidents in the financial services industry, as well as the reasons that most records are compromised.
If you’re an independent with only a couple of employees, don’t assume that hackers aren’t interested in your data. They are always on the hunt and can feed 24/7. They don’t necessarily go after specific machines, they just scan hundreds or thousands of machines automatically, looking for a way past the safeguards.
“The Internet today is like a walk through a vineyard, with the attackers stopping here and there to pick a grape at their leisure,” Sun Microsystems’ Security Chief Brad Powell has stated. “The feast is seemingly never-ending.”
Even if you follow top level security guidelines, your clients could be at risk from other businesses that have access to their personal information. In the event of exposure, you could be pulled in to help with remedial efforts.
The types of private personal information lapses include:
Hacker directly gains access to your office computer system. A Malaysian hacker was indicted in November for breaking into the Federal Reserve Bank’s computer network and taking more than 400,000 credit and debit card numbers. When he was arrested at JFK airport by Secret Services agents, they seized his laptop, which was “heavily encrypted,” a security step highly recommended to prevent easy access by an unauthorized person.
Computers infected by malware, malicious software typically installed from an e-mail or a downloaded file with hidden computer code that’s designed to secretly capture data and send it to a criminal. In early December, a laptop at the Pentagon Federal Credit Union became infected with malware, which allowed unauthorized access to a database with Social Security, account, credit and debit card numbers, and more. In another case, a major insurance company discovered that the login credentials for an independent sales professional were being used by an unauthorized person. The Secret Service investigated and concluded that the person used keylogger software, which secretly hides on a computer and records every key stroke and sends the record over the Internet to the criminal.
Employees tricked into or conspiring to provide client personal information to unauthorized persons. An Interbank employee working in the information technology group placed files for about 13,000 customers on a personal website that was accessible via the Internet for at least a year. A customer discovered the problem when she did a Google search of her name and saw her name, address, phone numbers, date of birth, Social Security number, driver’s license number and bank account number as part of the results.
Personal information was sent in an e-mail. Deloitte Tax LLP sent an e-mail to the employee of a client that included the personal Social Security numbers and pay slips of fellow employees.
Posting private information on a social media site or website, even if seemingly innocent. In Boston last January, the names, Social Security numbers and medical information for 1,300 current and former students at Wentworth Institute of Technology had their names available in a file accessible for the school’s website.
Computer malfunction or human error exposes sensitive data. Citigroup sent 600,000 customers their annual tax documents with one unwanted addition: their Social Security number was printed on the outside of the envelope.
Using window envelopes that allow unauthorized persons to view the sensitive information inside. Current and former employees of Equifax received their W-2 forms with one problem—their Social Security numbers were visible through the return address window in the envelope.
Paper files placed in a public space so that can be viewed or taken by passersby. A financial services firm and bank confirmed a client’s annuity cash withdrawal via fax, which contained the client’s name, Social Security number and brokerage account number. The printed fax number was incorrect, however. The form was sent instead to an unaffiliated company.
Documents left in dumpsters. A tax preparation service in Virginia left returns unshredded in a dumpster.
Lost or stolen laptops, iPads, smartphones, typically while away from the office or home. This example is not from financial services, but the details are too astonishing not to include. An employee of Tulane University used a laptop with the W-2 information for more than 10,000 administrative and academic staff, plus part-time student workers. During winter break, this person left the unencrypted laptop in a briefcase in a locked car while on an out-of-town trip. It stayed there until Dec. 29 when it was stolen.
Stolen desktop computers and servers, typically taken from the office or home. In 2010, a financial advisor working in a Midwest bank reported that his laptop with sensitive customer data was stolen right from his desk. A similar event—but one wrapped in more irony—also occurred last year. A laptop stolen from the offices of the SEC in Philadelphia contained private personal information related to the clients of a bank and wealth manager. The data was encrypted, but it’s possible the login information may have also been stolen.
Lost or stolen backup drives, CDs, DVDs or other storage device, such as a thumb flash drive. Last year, a major insurance company sent a CD with customer information, including names, dates of birth and Social Security numbers to an outside law firm. The FedEx envelope arrived intact, but no one at the firm could locate the disk.
Any old equipment donated or sold without reformatting storage drives. Employees of a manufacturing company noticed that a steel cabinet containing backups of personal information for 540 people was missing. It may have been removed during a mass cleaning prior to the demolition of the building and sent to a landfill in Pennsylvania where it was crushed and buried. Maybe—the company can’t be sure.
Putting Up Your Defense
In the next column, we examine the steps advanced planning advisors can take to protect their clients, teams and practice.