Sunday, March 15, 2015

Securing Client Data in the Cloud

Where Does My Stuff Live?
Clients often asked us to explain how Koch Capital keeps their personal data secure and private given our firm touts itself as an efficient, “paperless” operation, meaning we store all client data digitally on third-party servers and access that data over the Internet. Hence, the genesis of the diagram below is to help explain what type of client data is stored with various web-based applications. Please note that we have updated our technology stack from a year ago with our in-house developed Balance Sheet planning application and several new third-party financial software application programming interfaces (APIs).

Source: Koch Capital

Our most secure level (Level One) of online document storage is This is the one place where sensitive client data including social security numbers on forms, account numbers via brokerage statements, driver’s license number on legal documents, etc. are stored online in the client’s private directory.  Given its data encryption and detailed audit capabilities, the Enterprise solution is a robust, secure file management system used by companies of all sizes. You always know who is accessing what and when.

The next security level down is what Koch Capital calls Level Two, which contains personal information that may or may not already be in the public domain. Many financial software applications operate at this level providing Hypertext Transfer Protocol Secure (HTTPS) browser access to their respective software applications and require various levels of login with password security. The trick here, in our opinion, is to never save personal data that if compromised would hurt the privacy of your client.

Hence, we never save social security numbers, for example, in these applications and make sure to keep any brokerage account numbers to just the last three digits;  no full account numbers are stored at this level other than with the custodians. Most financial applications need basic client profile information like gender, age (birthday), state of residence, to perform their functions. But you can still be careful to exclude sensitive items that most likely would harm the client’s identity if compromised.

In the Public Eye
While company websites, blogs, email and social media are great new media inventions, there’s no reason to post any client data on these applications unless the client requests it for some specific reason. Treat email and phone like a public conservation that is being archived somewhere, so don’t get too personal with the content. One of our recommended best practices is to never attach or embed a sensitive document in an email to a client. Instead, only send secure links to the documents stored in the client’s private directory. With the rapid increase in mobile communication usage and in screen-share collaboration technology adoption, don’t get too comfortable providing select client data on the fly just because it is expedient. Have an access plan and modify/redact if you need to before you send. Cloud computing is the future as long as you “stay frosty” to intrusion from the bad guys.

About Jim Koch
Jim Koch is the Founder and Principal of Koch Capital Management, an independent Registered Investment Advisor (RIA) in the San Francisco Bay Area. He specializes in providing customized financial solutions to individuals, families, trusts, business entities and other advisers so they are better able to achieve their financial planning goals. Jim sees himself as an “implementer” of financial innovation, using state-of-the-art technology to provide practical investment management and retirement planning solutions for clients.

General Disclosures
This information is provided for informational/educational purposes only. The opinions referenced are as of the date of publication and are subject to change due to changes in the market or economic conditions. Nothing presented herein is or is intended to constitute advice to use or buy any of third-party applications presented here, and no purchase decision should be made based on any information provided herein. The information contained herein, while not guaranteed as to the accuracy or completeness, has been obtained from sources we believe to be reliable.
Third Party Information
While Koch Capital has used reasonable efforts to obtain information from reliable sources, we make no representations or warranties as to the accuracy, reliability, timeliness, or completeness of third party information presented herein. Any third party trademarks appearing herein are the property of their respective owners. At certain places on this website, live 'links' to other Internet addresses can be accessed. Koch Capital does not endorse, approve, certify, or control the content of such websites, and does not guarantee or assume responsibility for the accuracy or completeness of information located on such websites. Any links to other sites are not intended as referrals or endorsements, but are merely provided for convenience and informational purposes. Use of any information obtained from such addresses is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness.