I just finished speaking to an amazing group of financial advisors at the Lincoln Financial Group Planning Forum. This is a group of people who take the security of their business information, the privacy of their clients and their own personal data safety very seriously. It was an identity theft prevention speech, but specifically geared to the exceptional amount of identity handled by financial planners. These are people who have to proactively protect physical client files, filing cabinets, computers access, wired and wireless networks, trash, mail, hiring policies (to avoid bringing an identity thief into the company), mobile devices, and many other forms of information vulnerability as part of their everyday job. That is a lot of responsibility, and this group handles it beautifully. But I gave them some advice that turned out to be suspect…
First, a little background. During the speech, I shared three general techniques with them to help them protect the identities they hand every day (their clients’ and their own):
- The Privacy Reflex. How to recognize a scam, fraud, identity thief or dishonest transaction before it harms you. This uses a combination of anti-social engineering tools that retrain the audience to trust their instincts when they are sharing data (either their own or their clients).
- The Interrogation. How to ask effective and highly specific questions in order to determine who can be trusted.
- Targeting the Enemy. In this section, I talk about the specific tools that can be used by financial planners to lower the risk that either their identity or their client’s identity is stolen. This included stopping financial junk mail, moving to on line statements, freezing credit, limiting data collection inside of the business, protecting laptops and mobile data devices, investing proportionally to value in regard to professional document shredding and computer network security, and utilizing existing Identity Surveillance tools (http://www.csidentity.com/, http://www.annualcreditreport.com/, eMoneyAdvisor) to protect client identities.
But during the speech, I gave them a piece of advise that I would like to amend. One of the most frequent forms of the theft of financial advisor client information happens when a laptop computer is stolen from the advisor. And one of the most common places this happens, ironically, is when the advisor is attending an out-of-town conference or meeting. Instead of lugging the laptop with them to each event, it’s just easier to leave it back in the hotel room.
But when you ask yourself who is in control of that computer once you have left the room, the answer is full of risk. Of course, it’s the cleaning staff. Most room service personnel are trustworthy, but you can’t bank on that always being the case. With that in mind, I recommended several options to protect the identities on that computer:
- First of all, use strong passwords and data encryption to protect the data on the notebook computer in case it does disappear.
- Stop carrying data on your computer that you don’t absolutely need. If you don’t need to have client information on there, don’t put it on in the first place.
- Carry it with you to the events. Of course, when you set it down during a coffee break, your risk goes back up.
- Lock the laptop in the room safe. Sometimes they don’t fit, so I suggest that you pull the hard drive out of the laptop (which is where all of the identity lives) and place that in the safe.
- Use the hotel safe. Most hotels will lock up computers for you in their safe. Now you just need confidence that the hotel staff are trustworthy.
- The option that I liked best (until yesterday) was to place the DO NOT DISTURB sign on my door as I leave each morning so that no one enters my room. True, your room doesn’t get cleaned, but you are keeping potential thieves not just from your computer, but from any client documents, passports or intellectual capital that might be in the room. Hiding things is a poor option, as a thief will know every one of those spots by heart.
Unfortunately, when I got back to my hotel room at the Marriott after spending the day in downtown Los Angeles, the cleaning staff had eventually ignored the Do Not Disturb sign and cleaned the room anyway. You should have seen me go after the manager who was on duty. Not only is this a violation of my privacy, it is a violation of hotel policy.
Or is it?
No one on duty yesterday could tell me what the policy is for a room with a Do Not Disturb sign on it. If it hangs all day, are they allowed to enter the room? At this hotel, it would appear so, but absolutely no one could tell me the ACTUAL POLICY. Which means that this is no longer as strong an option as I thought it was. I have stayed in more than 400 hotels over the past few years and this is the first time someone has entered the room when the sign was hanging on the door (that I know of). Luckily, my computer was in the safe and my client files were with me in downtown LA (I like to use layered levels of protection and not just rely on one factor – I’m a bit paranoid in that way because of what I’ve been through). But I need to add a caveat to yesterday’s speech: Do Not Disturb signs don’t always work. If you are going to use this option, make sure you call down to house keeping and let them know that you don’t want your room cleaned or entered.
In the meantime, lock the data up in the safe as much as possible.