View more on these topics

Hack to the future

The recent high-profile coverage of BT’s failure to encrypt an email attachment highlights the problem that while email may be a highly convenient way of communicating, in its raw form it is far from secure.

This should serve as a warning to anyone using email of the need for extreme caution, especially when containing personal data.

For anyone who has missed the story, BT was instructed by a court to send an encrypted copy of a list of people who may have been using the internet to download pornography that in some way breached the owners intellectual property.

Apparently the court order clearly stated that the documents should be provided in the form of an encrypted spreadsheet. However, BT sent the document without protecting the contents and the email was intercepted by hackers.

The hackers subsequently posted details of the individuals involved on the internet in an apparent attempt to embarrass the law firm, ACS Law, which had obtained a court order requiring the data.

Financial regulators do appear to be aware of such weaknesses, which could be demonstrated by the $1.2m fine imposed on Met Life last year by Finra, the US equivalent of the FSA for failure to supervise email.

But despite many high profile data breaches in our industry over the past few years I continue to be amazed at how often I come across organisations who fail to recognise how essential it is to have specific policies to ensure information is covered by the Data Protection Act.

No adviser would ever print a client report and send it on a postcard through the post, but sending raw email without taking security precautions amounts to the same thing.

In my experience, there is an urgent need to have in place processes to ensure that sensitive data is only communicated securely. Equally, we need to avoid overkill and not send everything securely just for the sake of it.

Data protection knowledge should be part of the core training for all clients and advisers and there are a number of ways in which advisers and providers protect email communications.

Increasing numbers of firms are building highly functional customer-facing websites, so including a secure communications portal for correspondence between client and adviser should be a core requirement for any such service.

The usual way of achieving this is for the adviser’s website to generate a web link to the secure site which is emailed to the client telling them an email awaits them. The client can then log in securely to receive this email and respond.

Where such a service is provided in association with the adviser’s client management system the correspondence can be attached automatically to the central client record for use in future processes and reports, such as TCF.

Alternatively, advisers can use encryption services to protect the correspondence. There are many such services available but most of these systems default to store the document in an encrypted format. This could present a major problem if the firm receives an FOS claim many years later and does not have access to the decryption key to provide copies.

Therefore, it is important to remember that if you are going to use encryption you may need a decrypted version in the future. Consequently, I would always recommend advisers use a system which enables them to store all the communication unencrypted.

It should be mentioned that in many ways email is not the ideal way to communicate with product providers, platforms and lenders. Each individual email has to be created, or at best mail-merged, and then responded to manually by the recipient.

Structured messages between adviser’s client management systems and business partners can in practice be far more automated, so either parties systems can update each other automatically.

Contract enquiry valuation services and the new policy tracking messages are examples of such services but there are many more forms of standard communication between business partners which could be processed in similar ways.

As increasing numbers of advisers are both implementing and increasing their use of client management technology we have reached the stage where there ought to be a compelling case for maximising the level of communication conducted in this way. Such messaging services can be built with the requisite level of security built into the process, mitigating such risks, a further compelling reason for their wider development.

Not having in place a clear policy on when and how to communicate electronic data securely is tantamount to leaving a firm wide open for a major regulatory fine.

Sadly, our industry is for the most part too complacent on this point.

Sooner rather than late, I expect someone to pay a heavy price. Could it be you?


News and expert analysis straight to your inbox

Sign up


There are 3 comments at the moment, we would love to hear your opinion too.

  1. I have to correct you here. Hackers did not intercept the email. ACS:Law left its email folders in web space, at their web address, for all the world to see. An eight year old could have gained access. In an attempt to reinstate their web site after it crashed through thousands of hits by hackers, ACS:Law or its host, put an unprotected backup online. This was negligence on the part of ACS:Law or its host and as such is unconnected with the hackers.

  2. Paul,

    It appears that BT have admitted they transmitted unencrypted data see even if they are now arguing that they did not actually cause the leak In any event I believe the caution I am advocating in the use of e-mail is still important for any regulated business.


  3. Paul Stevens is right – even if the email had been encrypted this leak would still have happened, as ACS:Law accidentally allowed access to their files. Also, your story said the attached spreadsheet had to be encrypted, not the email. You are right that email is not hugely secure, but I would compare it to a letter rather than a postcard, as you do have to open it to look inside… I agree with your advice to be aware of the risks though.

Leave a comment


Why register with Money Marketing ?

Providing trusted insight for professional advisers.  Since 1985 Money Marketing has helped promote and analyse the financial adviser community in the UK and continues to be the trusted industry brand for independent insight and advice.

News & analysis delivered directly to your inbox
Register today to receive our range of news alerts including daily and weekly briefings

Money Marketing Events
Be the first to hear about our industry leading conferences, awards, roundtables and more.

Research and insight
Take part in and see the results of Money Marketing's flagship investigations into industry trends.

Have your say
Only registered users can post comments. As the voice of the adviser community, our content generates robust debate. Sign up today and make your voice heard.

Register now

Having problems?

Contact us on +44 (0)20 7292 3712

Lines are open Monday to Friday 9:00am -5.00pm