Skip to main content

Cataloguing storage devices and which data they contain helps identify devices with sensitive information.everythingpossible/iStockPhoto / Getty Images

Sign up for the Globe Advisor weekly newsletter for professional financial advisors on our newsletter sign-up page. Get exclusive investment industry news and insights, the week’s top headlines, and what you and your clients need to know.

While financial advisors and their firms place a high priority on protecting clients’ sensitive information, that level of care seems to disappear after old devices containing that data are discarded.

In September, Morgan Stanley Wealth Management agreed to pay the U.S. Securities and Exchange Commission (SEC) US$35-million after the regulator accused the firm of failing to protect approximately 15 million customers’ personal information. The company got rid thousands of disk drives and servers without overseeing the personal data they contained, the SEC said, claiming that some of the equipment ended up for sale on auction sites.

“Failing to wipe physical drives properly after disposing of them is a common mistake,” says Brandon Chapman, certified financial planner and principal at SaaS Wealth Insurance in Vancouver as well as vice chair and founding member of the Technology and Innovation Committee at the Financial Advisors Association of Canada, known as Advocis.

He points to other instances, such as Richmond, B.C.-based electronics retailer NCIX, which went bankrupt in 2018, leaving old hard drives containing customer data in a third-party’s warehouse.

“Many companies simply fail to consider disposal as part of the data lifecycle,” says Kirsten Thompson, partner and national lead for privacy and cybersecurity at legal firm Dentons in Toronto.

“Two things happen – either customer data are kept forever [which increases risk to the organization and likely violates privacy laws] or disposal happens, but it happens outside a defined process [for example, it’s left up to the IT guy to decide how to get rid of information or assets],” she says.

Advisors and their firms can also expect regulatory action if they fail to discard data properly in Canada as federal privacy laws apply, Ms. Thompson says.

Any company regulated by the Office of the Superintendent of Financial Institutions might also be covered by Guideline B-13, which was updated in July, she adds. This sets out the agency’s expectations around technology and cyber risk management.

Outsourcing the disposal isn’t a failsafe. Morgan Stanley left disposal to a third-party moving company that then sold the equipment, according to the SEC.

“Not only do many of these third parties fail to follow any recognized standards or processes for disposal, but some equate ‘disposal’ with reselling the asset,” Ms. Thompson says.

“That means computers, hard drives, and removable media are wiped improperly [or not wiped at all] and simply sold.”

Protecting data after they leave your hands

With these dangers in mind, it might be more appropriate for some advisors and firms to delete data before they leave their premises. However, simply dragging storage devices to the trash won’t work.

“If data are stored on a local machine or drive, specialty software must be run to ensure that the data cannot be recovered should a bad actor gain access,” Mr. Chapman says.

There are several off-the-shelf tools from companies such as Blancco Ltd. that will overwrite data on personal computer disk drives several times to avoid others recovering them.

Full-disk data encryption is another tactic that can help protect any storage devices leaving a company’s offices, says Robert Clyde, board director at international auditing and controls organization ISACA.

“The advantage with that is now while there are data on that drive, you can’t read them,” he says.

That shouldn’t be an advisor’s only solution, but it provides another layer of protection in case drives accidentally leave an advisor’s control.

Furthermore, advisors and their teams will have a hard time managing client data if they don’t know where they are, Mr. Clyde warns. As such, cataloguing storage devices and the data they contain helps identify devices with sensitive information. He advises using data discovery tools to find data that already exist. Then, use classification tools to tag new sensitive data digitally when they’re created.

Another way to minimize the danger of discarding sensitive data is to avoid storing them on local devices altogether, Mr. Clyde says.

Keeping data on a central company server rather than copied across multiple devices at least restricts the information to one storage location, making it easier to manage. Mr. Clyde also points to cloud-based applications as a way to keep data stored securely with a competent provider.

For more from Globe Advisor, visit our homepage.