As financial advisors, we're responsible for keeping our clients' data safe.
We're not the only ones handling that data, though - carriers and medical examiners will also have a hand in the process. But as the saying goes, a chain is only as strong as its weakest link. We don't want to be the weakest link. After all, if something happens and client data is compromised, we lose our clients' trust. Isn't this worth taking a few minutes to deal with now instead of having to make an uncomfortable phone call later?
Security is a complicated subject and one that's easy to put off. But we're going to help you tackle it head-on so you can tell your clients, with confidence, that you have a security plan in place to protect their data.
71% of organizations were affected by a successful cyber attack in 2014.
Two federal laws require us to protect client data: HIPAA and the FMA. You're probably already familiar with HIPAA, which covers protected health information (PHI). This refers to any individually identifiable health information as well as any personally identifiable information, such as a social security number. What you might not know is that HIPAA has limits. It was created to protect health-related information, which we naturally come into contact with while writing life insurance. But as the law is written, it only pertains to medical, dental, and vision records. It does NOT apply to information that exclusively deals with life insurance, critical illness insurance, and disability insurance.
So are we off the hook?
Nope. Information not covered by HIPAA is covered by the the Financial Modernization Act (FMA), which applies to insurance companies, brokerage firms, and many other financial service providers. This law requires us to ensure our clients' records and personal information is secure and confidential. It requires us to limit access to sensitive information to minimize security breaches, and use secure passwords to protect stored data. So even if certain information falls outside of the scope of HIPAA, we're still liable for its ultimate security thanks to the FMA.
Okay, so now we know what why we have to protect our clients' data - but what does that actually mean? Data encompasses all of the following:
- Physical or scanned copies of life insurance applications
- Faxes that store copies of the above documents
- Flash drives and external hard drives that might be used as backup or extra storage
- WiFi networks, routers, and servers - on site
- Backup drives or tapes
- Cloud storage
- Remote servers or access networks (VPN)
Keep in mind this isn't an exhaustive list - these are just the most common forms of data you'll encounter in a home office or corporate office situation.
72% of security incidents at financial services organizations involved a current or former employee.
Did any of the "what" items listed above surprise you? Data security covers everything from who has access to your building to the password on your WiFi network to the devices you and your employees use to conduct business.
Since this is such a big subject (too big to cover in a single post), we're going to break it down. In this post, we'll cover the basic precautions you should be taking if you store client data on your computer - which probably applies to all of us. If you store your client data in the cloud with a CRM, you likely still have emails and PDFs stored on your computer that need to be protected and encrypted. Let's talk about what that entails.
- Encryption software. Computers and laptops must be encrypted to keep your client data safe. Luckily, most newer computer operating systems have built-in encryption; most of the time, all you have to do is turn it on.
- Windows Vista or 7 (Ultimate and Enterprise editions only), 8, 8.1, or 10: Turn on BitLocker, a built-in whole-disk encryption program. Here are Microsoft’s instructions for using BitLocker (select your version of Windows from the dropdown menu in the top right).
- Older Windows OS: If you have an older version of Windows or a version that doesn't have BitLocker, you can download a free program called DiskCryptor.
- Apple OS X Lion or later: Turn on FileVault 2, a built-in whole-disk encryption program. FileVault 2 uses AES 128-bit encryption. Here are Apple’s instructions for using FileVault 2.
- Older Apple OS: You have an older version of the FileVault program, but it only allows encryption of the home directory, not whole-disk encryption. You can enable this, but it's a better idea to upgrade to OS X Lion or later so you can take advantage of FileVault 2. Apple isn't releasing security patches for OX 10.6.8 or earlier anymore, so it's a good idea to upgrade for that reason alone. Here's a good Q&A on upgrades for older Macs from Intego's Mac Security Blog.
- Password manager. You know you shouldn't write your passwords on a sticky note or save them in a text file on your desktop...but you probably do it anyway, right? Password management programs eliminate the security risk caused by such behavior. These programs store all your passwords in one place, with secure encryption. What’s the catch? You need to memorize the one password that gets you into the program—storing it in your browser defeats the purpose of keeping your other passwords out of that browser. This way, if someone steals your computer or hacks your Google login (for Chrome users), your passwords aren't one click away. As you can guess, this password needs to be really strong. On the plus side, imagine only having to memorize one password instead of 10, 20, or more. The paid options listed below offer great functionality, like storing unlimited passwords and syncing across devices. The free options work well on one device, if you only need to store a limited number of passwords.
- Paid software: Dashlane 3, LastPass 3.0 Premium, and Sticky Password Premium
- Free software: LastPass 3.0, PasswordBox Premium, 1U Password Manager
66% of sensitive data is stored in on-site servers.Backup software. Let’s say you get a computer virus. Or one or more of your files becomes corrupted. Is the data gone forever? It might be if you don’t have a backup system in place. Legally, you are required to provide your customers with any information you store about them, whether it’s a copy of their life insurance application or a copy of the results of their life insurance medical exam. If you aren’t keeping secure backups of your data, you aren’t complying with privacy law. You can purchase plans from online storage services that include features like unlimited storage space, continuous backup, file sync, sharing options, user-owned encryption keys, redundant storage, and mobile access. Unlimited plans for personal use are often less than $100/year. You can also buy non-cloud-based options if you'd rather store your backup copies on an external hard drive or other computer - the software usually costs less than $75.
- Cloud-based options: IDrive, CrashPlan, SOS Online Backup, Carbonite.
- Non-cloud-based options: Store your backups on another computer, a partitioned section of your computer, or on an external hard drive. Options include NovaBACKUP, Acronis Backup for PC, Genie Backup Manager. Keep in mind that if you store your backups on additional hardware, you need to take steps to encrypt and protect that hardware, too.
Each lost and/or stolen record containing protected information costs a consolidated average of $145.10.Anti-virus software and deletion software. These two work hand-in-hand. You’re probably already familiar with anti-virus software, which can alert you to potentially harmful websites and downloads before you do something that might infect your computer. As with many of the software programs listed above, there are often free versions and paid versions offered by the same companies.What you might not know is that getting confidential information off your computer isn’t as easy as it seems. Operating systems tend to keep copies of things you aren’t aware of for longer than you realized. For example, did you know that Microsoft Windows keeps copies of documents you thought you deleted? You won’t see a reference to the file, but all Windows does is hide it from view. The data is still there, moved to a different location on your hard drive, with the file’s properties stored in the Master File Table. Luckily, you can run a deletion program to overwrite that data and keep hackers or thieves from accessing it. Many anti-virus software programs have "shredding" options that you can use to securely delete files with sensitive information, so we've grouped these types of programs together here.
- Paid software: Webroot SecureAnywhere AntiVirus, Bitdefender Antivirus Plus, Kaspersky Anti-Virus, F-Secure Anti-Virus, McAfee AntiVirus Plus
- Free software: Panda Free Antivirus, Bitdefender Antivirus Free Edition, AVG AntiVirus Free, Malwarebytes Anti-Exploit Free
Phew! That's a lot of information, we know. We'll be talking more about data security in a future post, along with a more comprehensive white paper. For now, just browse the options listed above and make sure your computers are encrypted and protected with backups and anti-virus software.