Protecting PRIVACY

Next Article

Who Comes Next?

Michael Callahan explores common situations that may breach client confidentiality

Consider the sheer volume of sensitive information advisors typically have on their clients — social insurance number, date of birth, photocopy of driver’s licence or similar identification, notice of assessment, age, home address, marital status, and more. This is a treasure trove for online hackers and fraudsters. What are the requirements to keep an advisory practice in compliance with privacy rules? And how can advisors navigate common scenarios without causing a breach?

Many regulatory and accreditation bodies within the financial services industry have guidelines pertaining to client confidentiality. Advocis’s Code of Professional Conduct, which governs all Advocis members, states that “an Advocis Member shall respect and protect the privacy of others and the confidentiality of client information.”

Beyond the industry, advisors are already familiar with the federal govern- ment’s Personal Information Protection and Electronic Documents Act (PIPEDA), which outlines how organizations, including financial advisory practices, may collect and use personal information in the course of conducting business.

Now, there’s new federal legislation coming. PIPEDA is about to be superseded by Bill C-27: The Digital Charter Implementation Act

“Major changes to Canada’s privacy laws are on their way,” says John Waldron, founder of Learnedly and industry speaker on advisor-related compliance issues such as privacy regulations, cybersecurity, and topics related to clientfocused reforms. “Bill C-27 introduce[s] new frameworks for protecting personal information, including new rules for developing and deploying artificial intelligence.”

Waldron says advisors need to tread carefully in many situations to protect clients’ privacy and confidentiality. For example, they need to be cautious when disclosing information to a client’s trusted contact person (TCP) and ensure they’re following the rules in the fine print of the client agreement. They must also be extremely careful when sharing client information with third-party service providers.

“Data breaches and identity theft are a constant threat, and the safety of client information is only as good as those who protect it. Before you share information with a third-party service provider, don’t be afraid to ask for their security and privacy policies, compliance certifications, and incident response plan,” says Waldron. “Identity theft in particular has risen sharply in Canada in recent years.”

Three Everyday Scenarios

Advocis asked Kelly Gustafson and Brandon Chapman to share their thoughts on how advisors can protect themselves and their clients when they encounter three common scenarios. Gustafson is a financial advisor technology consultant in Calgary. Chapman is a principal with SaaS Wealth Insurance in Vancouver. Both are founding members of the Advocis Technology & Innovation Committee.

SCENARIO 1: WORKING OFF SITE

Leila is an investment advisor who works primarily from her home office. She often goes to a local coffee shop on her lunch break. On this occasion, she brings her laptop with her so she can continue working on a client’s financial plan at the coffee shop. Has Leila done anything wrong?

“Yes, there are potential risks of privacy breach in this scenario, as both the digital space and the physical space need to be considered. For example, can anyone see any of the personally identifying information in a notebook, client file, or on a device screen? The proximity to others may result in a potential privacy breach,” says Gustafson.

Chapman adds, “Leila should avoid using public Wi-Fi for client work, as hackers can easily intercept sensitive financial information for identity theft, fraud, or other malicious purposes. Instead, Leila should use a secure and private network connection, such as a Virtual Private Network or a mobile hotspot. She should ensure that her laptop’s operating system and security software are up to date and use multifactor authentication to protect her clients’ information.”

SCENARIO 2: SPOUSAL CONFIDENTIALITY

Johann is a financial advisor with clients who are husband and wife. The spouses typically meet with Johann together, but today only the wife is present. Johann mentions several items related to the husband’s finances in this meeting. Has Johann done anything wrong?

“Johann has potentially breached client confidentiality by discussing the husband’s financial information in the absence of the husband, and this could lead to both reputational damage and legal liability for Johann and the financial institution,” says Chapman. “It comes down to consent, and Johann must obtain the husband’s consent before sharing any information.”

From Gustafson’s perspective, “Advisors must still be careful not to presume they have consent to disclose confidential information about one spouse to the other. Even between spouses or other family members, advisors must obtain explicit consent before sharing any information about one client to another. Communicating with the husband ahead of time and obtaining consent in writing will help insulate Johann from a potential breach.”

SCENARIO 3: PERSONAL EMAIL SECURITY

Siena is a life insurance advisor who sent herself an email from her work account to her personal account so she could work on a client’s life insurance proposal at home later that evening. The email contained the client’s personal information and account statements. Has Siena done anything wrong?

According to Gustafson, “Siena has put her client’s personal information at risk by sending it via email to a personal device. Even if you encrypt your email as a sender, the same encryption protocols must be followed on the other end. In this case, she is creating additional opportunities for a privacy breach, as both the body of the email and attachments pose a potential risk.”

“Siena should avoid sending sensitive client information to her personal email account due to the high risk of email-related cyberattacks, such as phishing and hacking,” adds Chapman. “Cybercriminals often target personal email accounts because they are generally less secure than work email accounts. Instead, Siena should only use her secure work email, and should limit access to authorized recipients.”

Handle Client Information With Extreme Caution

The bottom line is that inadequate awareness of confidentiality obligations can compromise clients’ privacy and have significant consequences for advisors, including financial penalties, disciplinary action, and reputational damage. Protect yourself and your clients by keeping up with privacy and confidentiality guidelines and making it a high priority in your practice to treat client information with the utmost care.

BY JAMIE GOLOMBEK