According to a poll released this month by “DataMotion,” whereby more than 200 IT and business decision-makers across the U.S. and Canada were questioned about their corporate email and file transfer habits as they relate to the personal information of clients, thirty-four percent (34%) of respondents have used—or recommended that others use—third-party database storage providers (“DBSPs”) such as “Dropbox,” “iCloud” and “YouSendIt.” What’s more, forty-three percent (43%) of respondents said their company does not ban the use of these file-transfer services, and fifty-two 52 percent (52%) said their company does not block the URLs to such services. The survey focused particularly on those industries that routinely deal with sensitive data and compliance regulations, such as financial services, healthcare, and government.
The use of DBSPs has grown in popularity since the SEC essentially gave its “blessing” to such practices when it issued its August 14, 2009, Omgeo LLC no-action letter. This letter stated that advisers could indicate they maintain all records at their principal place of business when in fact the records are on a third-party database; so long as the advisers could produce the records “as if” onsite.
It’s no wonder why such a large number of those surveyed are making use of DBSPs. These databases allow for huge amounts of information to be stored easily while allowing access to the information from any computer with internet access. Furthermore, these storage providers help reduce the need for IT staff and expensive in-house computer equipment for many firms that employ their use.
Before deciding to go with a DBSP, certain compliance considerations must be considered. First, advisers are required to keep, maintain and safeguard certain records pursuant to the Investment Adviser Act of 1940. The SEC and FINRA also require companies to take steps to secure private customer information. Digital information needs different security protocols from hard copy versions. Employing such safeguards as adding an additional layer of encryption before uploading files helps reduce potential security issues. Furthermore, documenting the safeguard processes employed by your firm in uploading documents, as well as the creation of usage policies documenting the security measures taken with client personally identifiable information is critical.
Additionally, advisers have a fiduciary duty to their clients to investigate and conduct ongoing due diligence of vendors’ controls for maintaining the security and privacy of client data. It is important to review from DBSPs’ privacy policy, disaster recovery plan, frequency of backing up data, and encryption/anti-virus measures employed by such a provider.
For further information about this, or other related topics, please contact us at (619) 278-0020 to schedule a consultation.