You’ve heard how cyber-attacks on big organizations like JPMorgan Chase, health insurer Anthem, and the federal Office of Personnel Management have put the personal information of tens of millions of Americans potentially at risk.
But what if the biggest threat to your privacy comes from the practices of your local financial advisor, longtime lawyer, or trusty CPA? Smaller firms are not only keeping sensitive client information on their own servers but also moving it onto the cloud, even though some haven’t the foggiest notion of what they’re doing. All it takes to get started, observes Ross Hogan, global head of the fraud prevention division at Kaspersky Lab, is a signed contract with a cloud provider. The ability to be up and running with little effort (and potentially even less understanding of how the cloud works), Hogan says, poses a risk to clients.
Consider the experience (or inexperience) of R. T. Jones Capital Equities Management, a St. Louis registered investment advisor. In September it agreed to pay a $75,000 fine and be censured to settle Securities & Exchange Commission charges that it failed to safeguard clients’ personal data. That data was stored on Jones’ third-party-hosted Web server and was neither encrypted nor kept behind a firewall, the SEC alleged. Worse, while Jones managed retirement money for fewer than 8,000 workers, personal data of 100,000 (who were eligible for its “Artesys” managed accounts, whether they signed up for them or not) was stored on the server and potentially compromised when the site was hacked in 2013 from multiple Chinese IP addresses. Jones, as is standard, didn’t admit or deny the SEC charges, and it did not respond to FORBES’ request for comment. But according to the SEC’s cease-and-desist order, after the breach, the firm hired cybersecurity experts and fixed those glaring security problems.
How typical were Jones’ lapses? Hard to say. The SEC has had a rule on the books since 2000 requiring investment advisors to secure customer data. But it made cybersecurity a focus of compliance exams only this year.
CPAs and lawyers, for their part, are generally bound by state rules that may or may not require them to take precautions when putting your data in the cloud. Think of all the personal financial and other information your CPA and lawyer have about you–a lot more sensitive, potentially, than your Social Security or credit card number.
What can you do to protect yourself? Ask questions. While your advisor probably isn’t a technology expert, he should know enough to answer some basic questions about data security. Take it as a warning sign if he can’t.
Hogan suggests starting with: What information of mine are you storing on the cloud? Why is it kept there? Your advisor should be able to explain a business purpose, beyond the firm’s convenience, for storing your data, Hogan says. Not everything about you needs to be online.
Assuming your information is online, ask follow-up questions. What about encryption? Where is the data stored? Is it a public or private cloud? If public, why? Finally–and this one might get your advisor’s attention–is your firm insured against cybercrimes and hacks?
