NEW YORK (Dow Jones)--How advisers keep client information confidential is of
increasing concern to regulators.
A new Massachusetts law aimed at preventing data breaches serves to highlight
the trend, as well as the need to develop compliance policies that keep up with
ever-changing privacy laws.
The regulation, which became effective this month, applies to all types of
businesses, including investment advisers and brokerages, that store or maintain
personal information about Massachusetts residents. It applies not just to
companies based in the state but to those who do business with residents.
Massachusetts now mandates that companies develop and implement a written
information security policy for personal data, explaining how records are
protected, among other things. Requirements include encrypting data, such as
email messages, that are sent through public networks.
About 45 states have some type of privacy laws, and the new one in
Massachusetts is the most stringent, says Barry Schwartz, a partner with ACA
Compliance Group in Boca Raton, Fla.
The law requires that businesses designate a privacy officer. While hiring
someone new to fill that role may be out of the question for smaller firms, they
can comply by assigning the duties to an existing compliance officer or head of
information technology, Schwartz says.
The rules aren't really draconian, says Larry Goldfarb, a former UBS AG (UBS)
compliance officer and co-founder of Compliance11, a Chicago software company.
Safeguarding and encrypting information is a "very reasonable" measure, he said,
and developing a data privacy policy is important regardless of the law.
Still, some advisers aren't focused enough on protecting client data.
Kris Easter, assistant director of the Securities and Exchange Commission's
Office of Compliance Inspections and Examinations, recently spoke about alarming
privacy lapses it has detected. Some firms overlook controls as simple as
locking doors and file cabinets to prevent unauthorized access to client
paperwork, she said at an industry conference.
Office computers with access to clients' financial information sometimes
aren't password-protected or set to log out after a period of inactivity, she
said. Also, some customers are told to use their social security numbers to log
into firm Web sites, making them vulnerable to identity theft.
In one case, brokers stored client information on their personal computers and
were responsible for installing their own anti-virus software. One broker's
computer was hacked by someone who got past the password and gained access to
client data, Easter recounted.
The use of texting and other electronic communications can complicate
development of data privacy policies, says Todd Cohan, president of TextGuard in
Kenilworth, N.J. His company helps firms monitor and archive communications sent
through mobile devices.
Some financial services companies will simply disable a phone's texting
ability rather than developing a policy to monitor, encrypt and store the
communications, he says. Employees sometimes then text from a non-company phone,
exposing a firm to possible data breaches.
Jervis Hough, founder of Taurus Compliance Consulting, LLC in Aventura, Fla.,
recommends compliance officers get training in data security issues, such as the
Certified Identity Theft Risk Management Specialist course offered online by the
Institute of Fraud Risk Management in Reno, Nev.
Information technology and legal staff should also consult regularly to ensure
that safeguards comply with rapidly changing laws, he says.
"The combination of those two departments can aid in ensuring the rest of the
world is cut off from your non-public information," he says.
(Suzanne Barlyn writes Compliance Watch, a column that focuses on compliance
and regulatory issues affecting financial advisers. She can be reached at 212-
416-2230 or by email at suzanne.barlyn@dowjones.com)
(TALK BACK: We invite readers to send us comments on this or other financial
news topics. Please email us at TalkbackAmericas@dowjones.com. Readers should
include their full names, work or home addresses and telephone numbers for
verification purposes. We reserve the right to edit and publish your comments
along with your name; we reserve the right not to publish reader comments.)
Click here to go to Dow Jones NewsPlus, a web front page of today's most
important business and market news, analysis and commentary: http://
www.djnewsplus.com/nae/al?rnd=t1lmvGnWCNhXEDGOrf1Byw%3D%3D. You can use this
link on the day this article is published and the following day.
(END) Dow Jones Newswires
03-24-10 1123ET
Copyright (c) 2010 Dow Jones & Company, Inc.
