The recent high-profile coverage of BT’s failure to encrypt an email attachment highlights the problem that while email may be a highly convenient way of communicating, in its raw form it is far from secure.
This should serve as a warning to anyone using email of the need for extreme caution, especially when containing personal data.
For anyone who has missed the story, BT was instructed by a court to send an encrypted copy of a list of people who may have been using the internet to download pornography that in some way breached the owners intellectual property.
Apparently the court order clearly stated that the documents should be provided in the form of an encrypted spreadsheet. However, BT sent the document without protecting the contents and the email was intercepted by hackers.
The hackers subsequently posted details of the individuals involved on the internet in an apparent attempt to embarrass the law firm, ACS Law, which had obtained a court order requiring the data.
Financial regulators do appear to be aware of such weaknesses, which could be demonstrated by the $1.2m fine imposed on Met Life last year by Finra, the US equivalent of the FSA for failure to supervise email.
But despite many high profile data breaches in our industry over the past few years I continue to be amazed at how often I come across organisations who fail to recognise how essential it is to have specific policies to ensure information is covered by the Data Protection Act.
No adviser would ever print a client report and send it on a postcard through the post, but sending raw email without taking security precautions amounts to the same thing.
In my experience, there is an urgent need to have in place processes to ensure that sensitive data is only communicated securely. Equally, we need to avoid overkill and not send everything securely just for the sake of it.
Data protection knowledge should be part of the core training for all clients and advisers and there are a number of ways in which advisers and providers protect email communications.
Increasing numbers of firms are building highly functional customer-facing websites, so including a secure communications portal for correspondence between client and adviser should be a core requirement for any such service.
The usual way of achieving this is for the adviser’s website to generate a web link to the secure site which is emailed to the client telling them an email awaits them. The client can then log in securely to receive this email and respond.
Where such a service is provided in association with the adviser’s client management system the correspondence can be attached automatically to the central client record for use in future processes and reports, such as TCF.
Alternatively, advisers can use encryption services to protect the correspondence. There are many such services available but most of these systems default to store the document in an encrypted format. This could present a major problem if the firm receives an FOS claim many years later and does not have access to the decryption key to provide copies.
Therefore, it is important to remember that if you are going to use encryption you may need a decrypted version in the future. Consequently, I would always recommend advisers use a system which enables them to store all the communication unencrypted.
It should be mentioned that in many ways email is not the ideal way to communicate with product providers, platforms and lenders. Each individual email has to be created, or at best mail-merged, and then responded to manually by the recipient.
Structured messages between adviser’s client management systems and business partners can in practice be far more automated, so either parties systems can update each other automatically.
Contract enquiry valuation services and the new policy tracking messages are examples of such services but there are many more forms of standard communication between business partners which could be processed in similar ways.
As increasing numbers of advisers are both implementing and increasing their use of client management technology we have reached the stage where there ought to be a compelling case for maximising the level of communication conducted in this way. Such messaging services can be built with the requisite level of security built into the process, mitigating such risks, a further compelling reason for their wider development.
Not having in place a clear policy on when and how to communicate electronic data securely is tantamount to leaving a firm wide open for a major regulatory fine.
Sadly, our industry is for the most part too complacent on this point.
Sooner rather than late, I expect someone to pay a heavy price. Could it be you?