Data Security by Michael Whitfield
I have heard of a few instances lately where brokers have put themselves in significant potential jeopardy – both regulatory and otherwise – by failing to adequately secure their business data , including customer sensitive date .
These days you will find memory cards in particular in use in PCs , laptops , phones , tablets and more . At the very least you should consider encryption of all information stored on this media . In fact , some cards or sticks are now sold including a vestigial encryption routine ( though most people instantly delete it ).
For the purposes of this blog I will concentrate on data which is held electronically , though many of the obligations and responsibilities that I will touch upon will , of course , apply equally to “ hard copy ” data .
Firstly , an obvious statement : brokers who do not exercise sufficient care to protect their data , particularly customer data , run the risk of suffering severe penalties , both from the Information Commissioner ( from whom they must obtain a licence ) and from the FCA . Perhaps even more importantly , they run the risk of being pursued in the courts if any client suffers any financial loss or damage as a result of the broker failing to adequately protect their data .
So what steps might one consider it “ reasonable ” to take to protect any potentially sensitive data ? Here are just a few suggestions ; mostly completely obvious , but maybe one or two that you might not have thought of .
• Mobile Phones and Tablets These days , most business people use phones or tablet devices that are capable of reading and storing emails and file attachments . However , in my experience very few folks bother to protect the data on those phones . At the most basic level you should at least attach a password to the phone , so that someone who casually picks it up won ’ t immediately be able to read it . On a more sophisticated level , some devices give you the option to encrypt all the material stored on the phone or tablet . Although there maybe some additional complications to using the device if you install these features , I guarantee that you will think them well worth that extra effort if the device is lost or stolen ! Also , since these devices are usually used just for keeping in touch with emails and / or social network feeds , consider reducing the time that you store your conversations on the device to just a few days or less – you may even find that this frees up quite a bit of space , which will improve the performance of the device .
• Memory Cards and Sticks Potentially very troublesome little pieces of equipment , given how easily and frequently they seem to go missing .
At the most basic level you could perhaps consider putting in place a policy to control the use of cards and sticks – I know of at least one organisation which won ’ t allow them to be brought onto the premises .
• Laptops Many larger organisations will now have a policy which insists on all data being held on laptops to be encrypted . It ’ s not that difficult to achieve and the consequences of a laptop containing sensitive data falling into the wrong hands really doesn ’ t bear thinking about .
• Data Access and Storage Whether you use cloud or locally based server solutions , the way that you allow people to access data needs to be kept under constant review and should be controlled with strictly enforced security policies . Passwords must be changed frequently ; a routine which can normally be automated . Passwords should not be shared between staff under any circumstances and PCs should be set to “ lock-up ” after only a short period of activity . A log should be kept of all joining and leaving staff to ensure that their access to data is provided and removed at the appropriate times and to record the fact that the necessary security controls have been put in place .
• Data Back-Up Back-up regimes should be monitored by senior staff and must include “ any point in time ” readability , rather than just constant overwriting of back-up data . Back-up media must be regularly renewed and , of course stored appropriately , which generally means in an “ off-site ” location !
10