PRACTICE MANAGEMENT

Identity Theft

Financial advisors rely on the trust of clients to share confidential financial and personal information. Given the high profile of identity theft in recent years, Risha Gotlieb explores how prepared advisors are to actually earn that trust.

When Saskatoon-based financial planner Brian Mallard fired an employee, he didn’t envision that it would culminate in three years of litigation costing over a million dollars, the employee’s untimely death and the possibility of his clients’ confidential information being sold to South American identity theft rings.

After being terminated, the employee allegedly broke in over the weekend and made off with Mallard’s entire client database, which included names, addresses, social insurance numbers as well as driver licence and bank account numbers.

“We believe this information was going to be used by identity thieves to acquire credit cards or loans,” says Mallard, a former chair of Advocis, who adds with remorseful hindsight, “I should have changed the locks and pass codes.”

Mallard is not alone in his experience with identity theft. It has become one of the fastest growing global crimes, facilitated by the explosive growth of affordable technology and the anonymity of the Internet. This, in turn, has made it possible for petty thieves and organized crime rings to harvest personal and financial data with virtual impunity.

Statistically speaking, it’s not a matter of if but when you or someone you know will fall victim to identity theft. And although the numbers may already seem staggering, shockingly this form of consumer fraud is still considered by many experts to be in its infancy.

Canadian and U.S. surveys extrapolate that approximately one in every 26 North Americans will fall victim to identity theft in 2007. The U.S. Federal Trade Commission reported that in 2005 alone, U.S. businesses lost $50 billion to identity theft. Meanwhile, the Canadian Council of Better Business Bureaus estimated in 2002 that our economy lost $2.5 billion to identity theft. An Ipsos Reid poll found that one in every four Canadians has been victimized by identity thieves or knows someone who has.

An Industry Canada study cites that pilfered personal information is commonly used to open new credit card accounts, commit insurance or payment fraud, obtain government benefits, open fraudulent phone or utility accounts, or take out loans in the victim’s name. It has also been used to illegally obtain security documentation, such as driver’s licences and even passports.

And a report submitted to both the solicitor-general of Canada and the U.S. attorney general states that identity theft is “commonly committed to further other criminal activity, such as organized crime and terrorism.”

It’s these types of stats and the reporting of them by the media that has led advisors like Mark Taucar, an investment counselor with Toronto-based RN Croft Financial Group, to make changes. “We now bring in a professional shredding firm on a weekly basis and all our cabinets are locked up for the evening. We don’t even permit our clients to access their accounts through our website; instead they must go directly through the bank’s more secure Internet banking site,” says Taucar.

He adds somberly, “If more of us don’t take identity theft seriously, our industry’s image is going to suffer.”

Mallard found that after reporting the theft of his company’s confidential client records, the local police seemed ill prepared for this form of crime. “They didn’t think it was much of a high profile crime, not to mention that its investigation would be tedious, difficult and time consuming.”

Theft-Proofing Tips for Advisors Create a document or employee handbook that covers use, storage and handling of client data and information. Only collect essential data and obtain consent for all information collected. Encrypt data on networks, laptops and remote access devices. Update security software frequently. Save files to networks not hard drives. Use locks, alarms and video cameras. Conduct employee background checks and terminate network/office access when employees leave the organization. Limit access to sensitive data, both through physical partition and security clearance. Use scrubbing software or destroy hard drives; shred all sensitive documents. Prepare a strategy to manage a breach. Source: The Consumer Measures Committee

Absurdly, except for the specific exemption of credit card and debit card data, individuals who hold names, addresses, SIN numbers, birth dates, driver’s licence numbers and other personal information — and who even share or sell such information — have not committed a criminal offence under the existing Criminal Code of Canada.

“While many types of fraud are covered, the Code does not contain provisions relating to the possession of personal information,” says Wendy Parkes, a research associate with the Canadian Internet Policy and Public Interest Clinic, which was set up in 2003 at the University of Ottawa’s Faculty of Law to address policy and law-making processes on issues that arise as a result of new technologies.

University of Ottawa law professor Jennifer Chandler says that our current legal system is “woefully inadequate” to deal with this problem. “Because our personal information is so widely used and so poorly safeguarded by many data custodians, it has become quite difficult to establish the necessary causal link between the ID fraud and the defendant data custodian,” she notes.

With legislation having fallen behind the evolution of this form of economic terrorism, the different levels of government have undertaken a number of initiatives, which include setting up public reporting mechanisms and seeking input from the public in the hopes of enacting legislative deterrents.

“Working Together to Prevent Identity Theft: A Discussion Paper for Public Consultation” is the product of the Consumer Measures Committee. Its recommendations are that credit alerts be legislated and businesses be required by law to notify individuals affected by a security breach. However, most of these recommendations have yet to be adopted into legislation across Canada.

Meanwhile, in the U.S. in 1998, Congress passed legislation making identity theft a criminal offence and, in 2004, the Identity Theft Penalty Enhancement Act was enacted to further increase penalties for this crime. Also, more than 30 states have already passed legislation requiring companies to divulge and inform their customers if there has been a security breach.

Richard Billington, of Calgary’s Billington Barristers and Mallard’s attorney, has noted that Canadian courts’ attitude towards identity theft is, however, changing. “They’re becoming more and more concerned with businesses that learn their critical information has been misappropriated but take no steps to recover that information or to determine what has been done with it by the bad guys,” he observes. “Such businesses expose themselves to claims for negligence, breach of contract and breach of statutory duty under both federal and provincial legislation.”

He adds: “It may not be sufficient to merely report the wrongdoing to the police. Rapid action through the pursuit of civil remedies, including specialized injunctions, may be needed to show that businesses and their directors have acted with proper diligence. In the absence of such diligence, businesses expose themselves to potential claims including the prospect of class action suits.”

According to the Criminal Intelligence Service Canada (CISC), while larger corporations allocate additional resources to strengthen security measures, criminals are increasingly targeting smaller financial institutions that have limited security resources, such as community banks and credit unions. This trickle-down effect will likely lead the criminal element to “softer” targets such as the offices of lawyers, accountants, doctors and dentists — and financial advisors.

Financial author and commentator Gordon Pape agrees, noting “if the big banks don’t have this under control, how are our small firms going to be able to cope?” Pape himself recently received a letter of apology from CIBC after its Montreal investment subsidiary, Talvest Mutual Funds, lost a computer hard drive containing personal information on hundreds of thousands of investors (see sidebar Into the Breach).

Financial advisors’ offices may vary widely in their configuration, from the number of partners and employees to physical layout and location. Nevertheless, law enforcement, government and security experts generally agree on a number of prudent practices to minimize or prevent the risk of falling prey to the scourge of identity theft.

The first step is to ensure there is a collective understanding amongst all staff members that the personal information they’ve been entrusted with is of significant value. As Billington puts it, financial advisors must pursue a culture that demands recognition of the maintenance of confidentiality and respect of client data. “You have to guard it carefully. You have to be constantly vigilant and think about it from a technical, legal and moral perspective.”

Experts say financial advisors have to communicate to their staff the true value of information if it falls into the wrong hands. In other words, employees have to understand that the value of a file is not the three or four cents of paper it contains, but the fact that it represents the keys to a new car, the deed to a home or future retirement savings.

This initial step is an important exercise in developing a culture of sensitivity toward guarding the personal and financial information that has been entrusted to your staff and company.

Financial advisors also need to reconsider the amount of information being collected and collect only what is absolutely necessary to run their businesses. Chandler points out this is also a legal requirement outlined in federal privacy legislation, PIPEDA, which states that the collection of information shall not be done “indiscriminately” and the amount and type collected shall be limited to the purposes identified by the organization.

Clients’ files should also contain written informed consent allowing you to store their personal information and how it can be used. Furthermore, the handling and transmission of this data must be subject to well-defined protocols that every staff member must adhere to. And these protocols should be outlined in some form of handbook that staff can refer to at any time.

For example, when it comes to faxing documents, minimize the number of hands through which the documents will pass. Consider making one person responsible for the fax machine and have the machine in a controlled area. Also remember the limitations of fax technology, such as misdialing a number, possible interception of fax signals and even the basic necessity to routinely clear the memory of your fax machine.

The same precautions should apply to photocopiers. While a valuable tool for conducting business, it’s also an ideal mechanism for identity thieves. Photocopying of any identity-sensitive material should be kept to a bare minimum. Other technology pitfalls such as e-mail and instant messaging — and how to avoid them — are identified in the “Uses of Technology” section of the Advocis Best Practices Manual.

Indeed, in today’s modern offices, a significant amount of information is stored and transmitted electronically. A recent survey by the Ponemon Institute in the U.S. disclosed the startling statistic that 81 per cent of companies and governmental entities have lost or misplaced one or more electronic storage devices, such as laptop computers containing sensitive or confidential business information, within the last year.

Into the Breach  Some examples of identity theft: • In January 2007, CIBC reported that a computer hard drive containing personal information on about 470,000 investors was lost in transit by its Montreal investment subsidiary, Talvest Mutual Funds. • Also in January 2007, it was reported that hackers got into the computer systems of U.S. discount retailer TJX Cos., the parent company of Winners and HomeSense, compromising the personal information of millions of Canadians. Some banks have since issued new credit cards to customers while others are monitoring cardholder transactions. • In early 2005, the American information broker ChoicePoint, whose database contains billions of records about nearly every adult in America, inadvertently sold the personal information of at least 145,000 Americans to 50 identity thieves. • In June 2004, both Citibank and Royal Bank of Canada notified their customers that fraudulent e-mails purporting to originate from the banks were being sent out asking them to verify account numbers and personal identification numbers (PINs) through a link included in the e-mail. This more malicious form of spam is also referred to as phishing. • In January 2003, an employee at Saskatchewan’s Co-operators Life Insurance made off with a hard drive containing the personal information of up to180,000 customers.

And research conducted by Advocis reveals that the number of hackers operating internationally is predicted to reach 20 million by 2010. The research also notes that a new breed of professional hacker is performing “deep network penetration using sophisticated entry and detection avoidance techniques.”

Firewalls, anti-virus protection software and the use of encryption are absolutely essential tools in protecting electronic files. Recognize that it will be necessary to continuously update your software and possibly upgrade your hardware if you want to protect your computer system from the infiltration of hackers. Routinely change passwords and turn off or lock computers if unattended. Some computer users have turned to relatively inexpensive fingerprint readers to access their computers rather than simply using passwords.

Marc Hamel, an investment advisor with CFO Advisory Group Inc. in Burlington, Ontario, says all nine staff members in his office change their passwords at regularly scheduled intervals. And in addition to their existing encryption program, they’re currently evaluating a system that will encrypt e-mails and their attachments.

“I honestly believe that we’re going to get to the point where all the files on your computer and your servers are encrypted. It’s a natural extension of what we’re doing today. It’s security all the way down,” says Hamel. “We’re continually researching new solutions to provide that extra protection for our clients, anything that gives them a greater sense of trust.”

Sources say advisors should also use digital signatures when sender authentication may be an issue. Consider the possibility of keeping sensitive data on a computer not connected to the Internet, cutting the most common conduit that hackers rely on. Always enable and use all encryption options on networking devices, especially wireless devices, and never use default passwords. Chandler advises, from a legal perspective, to routinely have your computer system’s defences tested for vulnerability and to keep detailed records of those audits.

When upgrading or disposing of computer hardware, financial advisors should consider using scrubbing software or physically destroying hard drives — or even better, both. Additionally, avoid buying used equipment like routers from sites such as E-Bay and never use pirated versions of any software. And to be absolutely safe, buy your software and hardware only from reputable dealers, preferably in its original shrink-wrapped packaging.

While large banking institutions and local retailers commonly incorporate physical barriers to protect their valuable assets, many financial advisors routinely overlook this first perimeter of defense. Consider the prudent use of good-quality locks, alarms and video cameras. Also consider keeping sensitive data, whether stored electronically or on hard copy, in its own isolated secure room, as well as the use of more secure filing cabinets.

Simple garbage has also been known to be a great resource for identity thieves. Known as “dumpster diving,” this involves thieves rummaging through garbage for everything from discarded bills to complete account information. Although not as sexy as hacking, it’s much easier to prevent simply by shredding all documents before discarding them.

When it comes to postal services, consider using secure mailboxes or P.O. boxes and limit who handles the mail. And use registered mail when sending out sensitive information.

Employees who are well informed and properly equipped to deal with identity theft fraudsters can be a company’s greatest asset in preventing this crime. However, statistics show that as much as 70 per cent of identity security breaches can be traced to leaks that occur within organizations. Employees have been caught in everything from accepting bribes and pilfering information on behalf of organized crime to simply turning a blind eye to obvious signs of identity fraud.

Imagine that your receptionist is actually using her MP3 player to copy your entire client database. What do you really know about her? What are her debts? Who is she dating?

Since his painful and costly experience, Mallard says he’s taken a more proactive position with his 25 staff members as well as with temporary and contract personnel. “We’ve physically partitioned off a lot of information with only one or two of us having access to it,” he notes. “Our employees now have varying levels of access and security clearance within our offices.”

Depending on the size of your firm, these security clearance levels can be implemented in different ways, from a strict office policy that limits access to sensitive information to the implementation of programmable access systems that can be used on everything from door locks to photocopiers and computer systems. You may also want to keep audit trails of who accesses your company’s sensitive data.

“Employees can cause you far more harm than any client can,” says Mallard, pointing out that when terminating an employee, advisors should make sure they immediately close all means of office access.

Billington also encourages the use of good employee contracts that contain language that covers non-disclosure and confidentiality requirements. When hiring staff, ensure that you exercise due diligence, thoroughly checking their background and financial history. And when it comes to outside workers, whether obtained through temporary staffing services, cleaning companies, general contractors or others, demand that they be adequately insured and preferably also bonded.

As chartered accountant and advisor Fred Yada of Vancouver-based F.M. Yada Group — whose clients include such high-profile Canadians as Sarah McLaughlan and Bryan Adams — puts it: “So much of our profession is contingent on being trusted. As an industry, we can’t ever take that trust lightly or for granted.” Yada sets a good example. While three of his firm’s employees have been with him for more than 25 years, he still insists on confidentiality agreements.

Leslie Cliff, president of Vancouver-based Genus Capital Management, an investment boutique with a staff of 31, says she feels more secure in knowing that a large portion of her staff are shareholders in the company. “I recognize that staff can be a serious weakness in an organization, but I believe that by having a shareholder program, my staff is much more sensitive and likely to maintain the confidentiality of my clients’ information, just as I do.”

Financial advisors should also have an action plan or strategy in place to manage a breach if it does occur. A good response plan must enable the rapid analysis of what happened, including the capacity to collect evidence in a forensically sound manner that will not only support the prosecution of wrongdoers or to seek civil restitution but also to substantiate any potential insurance claim to which the organization may be entitled.

Meanwhile, it might be a good idea to confirm that your company is covered for incidents of identity theft and what the procedures and requirements are for making such a claim. It may also be prudent to suggest to your clients they take advantage of identity theft riders commonly available to home policies for a relatively low cost.

In the event of an identity theft incident, advisors should already have in place a list of who must be contacted for assistance. This may include an attorney, an accountant, IT professionals and appropriate law enforcement agencies. And have draft notification letters already crafted for those who may be affected by the security breach including clients, employees and outside agencies.

Experts say that a common reaction to an identity theft incident is to cover it up or sweep it under the rug. But they emphasize this may heighten the exposure to costly litigation as well as cause permanent damage to your company’s reputation.

Taking all these precautions may seem like overkill, but they are a necessity for an industry that relies on the trust and willingness of clients to share their personal financial information. In light of the growing incidences and awareness of identity theft, these measures may just represent the common operating standards for financial advisors in the near future.

---

Risha Gotlieb can be reached at risha@look.ca.