Sure, You safeguard your clients’ data. But what if an employee decides to make off with your files?
The possibility hit the news back in March when a laptop containing the records of some 196,000 Fidelity Investments customers was stolen from an offsite work location. Then in early July a disgruntled employee of Fidelity National (unrelated to Fidelity Investments) stole the records of as many as 2.3 million individuals and sold the data to direct marketers.
You know it’s a strange new world when the National Security Institute’s e-newsletter, NewsWatch, distributed to executives and professionals in defense contracting, government, and industrial security, includes an article on cyberinsurance that protects against “data breach catastrophe.” Cyberinsurance. Against (data) assimilation.
So are you covered?
Your files are valuable, with vital personal and financial data on each of your clients. If you execute trades for them or provide family office services, such as bill paying, you have even more data desired by potential hackers or identity thieves. While you make every effort to secure your files, both paper and electronic, what happens if someone in your office decides to steal that information?
Thirty-eight states, according to Larry Harb of IT Risk Managers, now have laws modeled after California’s groundbreaking Personal Information and Privacy Act. Says Harb, “These laws basically say that if you have my personal and private information . . . [and] you lose my information, you have to notify me.” He adds that these laws mandate “that there be some type of victim assistance program provided because of the problems of identity theft.” Harb points out that, for a 20-person firm with a 5,000-client database, “the reality is . . . that probably 19 persons have access [to that data].”
Aon Corporation’s white paper, “Data Privacy and Information Security,” by Kevin Kalinich, co-national managing director, professional risk solutions, lists a host of circumstances that most advisors probably have not considered in judging whether they are protected against liability for data loss. Even something as small as a data stick gone astray or an outside firm coming in to do computer upgrades can compromise an office’s security. Moreover, as Harb points out, loss of client data can leave an advisor open to compliance issues under the Gramm-Leach-Bliley Act.
But there are options for advisors. Harb says that IT Risk Managers sells coverage called database insurance, providing coverage in three categories: personal identity liability (“because if you lose a database of any size, you’ll end up with a class action lawsuit”); regulatory or administrative action (Gramm-Leach-Bliley); and identity event services–the cost of notification, crisis expense, and post-event services (such as credit monitoring).
According to Harb, “The beauty of this program is that we don’t care how you lose the information, whether it is electronically or in the physical world.” So an advisor is protected “whether it’s a rogue employee” or a third party responsible for the loss. The coverage came out at the end of 2006, Harb adds. Cost varies, depending on the size of an advisor’s database.
But the cost to an advisor without coverage can grow swiftly. Harb points out that that advisor with the 5,000-name database can incur costs of close to $200 per name just to notify each client that the database has been compromised–an action mandated by those state laws we mentioned earlier. Then there’s the cost of a regulatory investigation and the need for legal representation. Add in the price tag to pay for credit monitoring services for those clients whose information was compromised, and you’re looking at much more than the price of a policy.
Marlene Y. Satter, a freelance business writer based in New Jersey, can be reached at firstname.lastname@example.org.