The Retail Distribution Review may have been people’s primary focus given the inevitable effect it will have on their future, but firms failing to act on the Data Security paper and the accompanying fact sheet for small firms may not actually make it as far as the implementation of RDR.
The 100 pages of the full report make salutary reading for anyone who might think their confidential information is in safe hands with their financial adviser. The report is littered with examples of industry practices it is hard to see as anything less than negligent. The report makes it very clear that the FSA will consider enforcement action against adviser firms that fail to meet the standards of data security they expect to see.
If the threat of enforcement action is not enough, it is hard to think of any other incident that could be as damaging for the relationship between an adviser and an employer as a serious data loss that necessitated the employer having to notify their workforce that their confidential information had been put at risk.
The FSA fact sheet identifies seven key areas firms should examine when considering their data security. These include the physical level of security over data, ensuring who has access to advisers’ offices and the operation of “clear desk” policies and governance.
Educating staff on data security is also seen as essential, particularly making sure that training is delivered in a way that will ensure that staff properly comprehend the issues and are tested on their understanding of these. Staff user rights on computer systems should allow them to access the information they need to carry out their role, but only that information, as opposed to system-wide entry. Equally, usernames and passwords must not be shared or written down. In addition, advisers are guided to www.getsafeonline.org to employ policies to ensure their passwords are sufficiently rigorous and cannot be easily worked out by others.
There are particular concerns about the use of devices that can take customer data offsite. The FSA points out that the Information Commissioner has recently stated that firms should ensure that laptops and other portable devices that can store customer data should be encrypted. They go on to say that they support this view and in the full report state that they may take enforcement action against firms that fail to encrypt customer data offsite. This would apply not only to laptops but also items such as USB devices and particularly back up tapes that may be taken home.
Reservations are also expressed over the use of web based e-mail systems like Hotmail and Google mail, social networking sites such as MySpace and Facebook, Instant Messaging services like Yahoo and MSN Messenger and file sharing software. Of these, although advisers have to consider the risks, personally I think it would be regrettable were advisers to be unable to use instant messaging as I have seen it used very productively between advisers and life offices. Such services can allow chat logs to be recorded and perhaps this might be an approach that could be seen to mitigate the risk of instant messaging.
Disposal of data is another area where it is felt there are considerable risks. This again applies not only to electronic media and computer hardware but also the disposal of physical records. There have been several high profile incidents involving the careless disposal of customer paperwork and it is again essential that all staff fully understand the importance of shredding paperwork and properly destroying electronic media.
When files are shown as deleted from hard drives they are deleted from view rather than actually destroyed, and all too often criminals are able to recover valuable information from hard drives that have not been properly cleaned using specialist software. Finally external contractors are also seen as a significant risk. Advisers need to be sure their cleaning and security contractors make sufficient checks before engaging staff.
It is clear from the report that the regulator sees that many advisers have historically taken an unacceptably lax attitude to protecting customers’ data, both electronically and on paper. They have clearly called time on such practices and made it very clear that firms that fail to properly protect their customers’ information are risking serious regulatory action.