Advisors and data security experts are on the offensive after the recent data breach at Wells Fargo.
In mid-July, word leaked out that a lawyer working with the banking giant shared private client data, including Social Security numbers, and compensation details linked to 50,000 financial clients and investment advisors.
The data was made public when the Wells Fargo attorney delivered the information to an opposing attorney’s law firm, as part of an ongoing litigation case involving a former Wells advisor who is suing the bank.
Wells Fargo attorney Angela Turiano, a New York-based principal at Bressler, Amery & Ross, said the opposing attorney leaked the sensitive data to The New York Times. The newspaper followed up with a story reporting the leak.
Turiano called the data leak “accidental,” and said she hadn’t vetted the data properly. Wells Fargo has a security protocol to follow when handling private company data.
“I thus inadvertently provided documents that had not been reviewed by me for confidentiality and privilege,” she said in an affidavit.
Managing the Data
Accidental or not, the Wells data leak amplified the necessity of protecting client data, a scenario that some financial industry data experts say needs improvement.
“It's a fact of business today that customer and other proprietary data, in many cases, must be shared with vendors and other third parties in order to effectively originate and manage accounts,” said Greg Bonin, chief operating officer at XOR Data Exchange, a data protection company based in Austin, Texas.
Yet managing the secure flow of that data is proving problematic.
“The huge Wells Fargo breach was completely a human error, and an indicator of very poor business practices coupled with ineffective security education,” said Rebecca Herold, president of SIMBUS360 in Des Moines, Iowa. “Some of the glaring problems that were revealed by this huge, preventable breach, including the fact that human error is just as much of a threat as vulnerable systems.”
But that’s not all – not even close, says Herold.
“You also have to look at the lack of effective information security and privacy training involved in the Wells case, which all financial firms should study,” she said.
Laws dictate only sending the minimum amount of sensitive data as required, Herold explained.
“This is called the “minimum necessary” privacy principle, and one that has existed for decades, and has been established in multiple laws and regulations over the past 25–35 years as well,” she added.
Additionally, Wells had a set of policies and supporting procedures for handling and
transmitting large amounts of client data, but the system failed all the same, Herold noted.
“If procedures existed for providing personal date to others outside the organization, why weren’t they followed?” she asked. “This is typically an indicator that the organization is not enforcing their own data security and privacy policies and procedures.”
Checklist for Data Security
There are several primary key types of assessments financial firms can securely use to
evaluate client data security, Herold said. Here’s her list, along with reasons why each item is important for financial firms to address:
Risk assessment: This identifies the networks, systems and applications for security risks, Herold said, and is also a requirement of multiple regulations and industry standards.
“This covers all information security domains, including administrative controls that include data security training and ongoing awareness reminders, which could have prevented the Wells Fargo breach,” she said.
Privacy impact assessment: PIM is an assessment specific to identifying risks to personal data, which also identify potential harms to the associated individuals.
“This is increasingly being expected to be an activity performed within an information security and privacy program,” Herold said, adding that it is also a federal and international regulatory requirement.
Compliance audit: An audit is a recommended practice for all types of organizations, but certainly expected of financial organizations.
“The audit checks the data security and privacy legal requirements for data, network,
systems and applications security settings and controls,” Herold said. “They can be
performed by internal auditors, or from contracted third parties.”
Vulnerability assessment: An assessment identifies the vulnerabilities within an
organization’s information management processes and systems, Herold said.
“This checks for such things as systems and applications patching practices and current
versions in use, insider risks related to workers, and things like that,” she added.
'Take Proactive Steps'
There’s “no doubt” that financial institutions are under increasing pressure from regulators to protect client data, said Meghan McAlpine, director of strategy and product marketing for alternative investments at Intralinks in New York City. “That fact, coupled with an increase in cyberattacks as of late, should be a signal for global financial institutions to take proactive steps to increase cyber security initiatives.”
Wealth management firms should strengthen policies and procedures related to safeguarding client data so that clients feel safer doing business, McAlpine said.
“Firms should also provide alternatives to email when sharing high-value information,” she said. “Delivering investment reports to clients using outdated methods like email and overnight mail don't provide the necessary safeguards for information this sensitive.”
Plus, any technology put into place should be secure and fully audited.
“Any vendor that houses sensitive client data should be 'diligenced' regularly,” she added. “If a vendor is unwilling to be transparent or open to a full audit, that should be a red flag.
“Overall, making the investments in secure technology and training staff on best practices for sharing and storing sensitive data are the best defense against data breaches,” McAlpine said.
Brian O'Connell is a former Wall Street bond trader, and author of the best-selling books, The 401k Millionaire and CNBC's Guide to Creating Wealth. He's a regular contributor to major media business platforms, including CBS News, The Street.com, and Bloomberg. Brian may be contacted at [email protected]
© Entire contents copyright 2017 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.