San Diego, CA (PRWEB) May 13, 2012
While such “connectedness” can be a boon to employers it also has its downside because it increases the risk of outsiders accessing confidential business data and the personal information of clients or customers. According to a PricewaterhouseCoopers survey, only 43% of employers have implemented procedures that govern the use of personal electronic devices.
Research by McAfee and the National Cyber Security Alliance found that nearly three out of four adults fail to protect their smartphones with security software making these devices susceptible to hackers and allowing access to data if the devices are lost or stolen.
Employers have found it increasingly difficult to prohibit the use of personal electronic devices but are faced with a tradeoff between convenience and productivity versus the increased security risks of having confidential data compromised. Providing duplicate devices increases expense and employees may find it inconvenient to carry extra devices. However, when employers allow the use of personal devices they still retain the obligation to protect data from being improperly accessed.
Investment Advisors (“IAs”) and Broker-Dealers (“BDs”) (as well as other businesses) are governed by strict regulations that require the protection of confidential client or customer information (i.e. SEC Regulation S-P and increasingly restrictive state laws, particularly from Massachusetts and Oregon). BDs and IAs must maintain strict policies and procedures for securing, managing and disposing of confidential information by controlling client files, storage media and firm or associated-person owned personal computers and electronic devices (whenever they are permitted to be used for business purposes.)
Businesses are beginning to use software designed to remotely erase all data from any employee personal device that is lost or stolen. Data security products that provide for remote wipes, kill switches, locking SIM cards, and GPS locators that can be used with smartphones and computers are now being offered. GPS software can be used to locate devices and programs can then be remotely activated to disable them or erase all data.
In addition to physical and electronic safeguards IAs and BDs must implement policies and procedures regarding the use of personal electronic devices.
A data security program should at minimum include the following elements:
- Procedures for the use and security of personal electronic devices
- Training for every employee that has access to confidential information that includes maintaining client information security when working outside of the office and prompt notification whenever a personal electronic device is lost or stolen
- Procedures for notifying clients and the proper authorities whenever it is suspected that confidential information has been compromised
- Procedures for maintaining and destroying electronically stored client information (maintained on hard drives, laptop computers, cell phones, flash drives, photocopier data storage, etc.) including the ability to remotely erase all data from any device that has been lost or stolen
BDs and IAs should be sensitive to these issues and implement an appropriate data security program before confidential information is compromised through the unauthorized use of personal electronic devices. Business Compliance Partners offers advice and consulting services that can help IAs and BDs with reviewing and updating their programs to secure and protect confidential business information and client records.