Information Security / Client Information Security Standards
Client information refers to information about individuals who apply for or purchase a product or service. Confidential client information includes, but is not limited to:
- Name, address, phone number and age
- Social security number or other identification number
- Account numbers
- Financial information, such as assets, debts and credit history
- Heath information including medical and prescriptions records
- Other personal information such as driving record
Agents must only disclose, access or use confidential information for business purposes. The information can only be shared on a “need to know” basis.
Physical Security Standards
Agents are required to follow these physical security standards:
- Client information must not be left unattended in offices, conference rooms, fax machines or printers.
- Client files, documents, or any other records/documents containing confidential information should be stored in locked file cabinets or desks when not in use, and in all cases, secured at the end of the business day.
- Visitors to an agency location should not be allowed to walk unescorted in areas where client information is easily accessible.
- Destroy unneeded documents: Agents are required to either shred the document or dispose of them in secure bins located in their respective office. Under no circumstance is confidential information to be discarded in recycle or trash bins.
- Lock down agency location at the close of business.
- Complete all information security training administered by the firm.
- Report gaps: Agents are required to report any failures in physical safeguards (e.g., broken locks, inadequate secure zones, etc. to his/her VP).
Electronic Records Security Standards
Certain states require an agent to annually certify that they are in compliance with the state Cybersecurity Requirements for Financial Services Companies. Agents are required to be knowledgeable about, and comply with, all applicable state requirements related to the safeguarding of electronic information and cybersecurity requirements in the states in which they do business. At a minimum, Agents must follow the following electronic records security standards:
- Computers and mobile devices with access to client information should not be left unattended or screen savers/sleep mode should require password protection.
- Password protections for access to PCs must be implemented.
- Encryption tools are to be used when emailing confidential information to the client.
- Client information should never be downloaded, maintained or saved to your PC.
Agent Security Standards
- Agents should limit access to client information to only those Members that require access to the information to either client support, Operations or Compliance.
- Agents should only disclose information that is necessary. That means only disclose information that is required to perform the business operation.
- Agents are prohibited from disclosing client information over the phone or in response to an email unless they identified the person to whom they are communicating as the client or fiduciary representative of the client.
The Company requires that its agents report all data breaches as they may cause damage to the firm, they may harm clients, and many states require clients be notified of data breaches that may expose them to identity theft and other risks. It is very important all potential data breaches be reported to agent’s VP and compliance immediately.