Once upon a time, we were called by a panickedfirm who had recently found themselves in hot water with the SEC. To their shock and dismay, these advisors had discovered their long-trusted backup system actually exacerbated an issue with data loss and compliance as opposed to preventing the problem in the first place.
Could this situation happen to you? You may be wise to read this story and find out.
It all started with a single advisor and her laptop. This firm member (let’s call her Jane), copied information about clients from the firm server and placed this information on the laptop she used for work. Jane, who was planning to leave the firm with her clients in tow, subsequently deleted client information from the firm’s server. The only copies of this data were now located on her laptop. Jane continued to add client information to her laptop as she served the firm’s client base, all the while making sure no data made it back to the firm’s central server.
A period of time went by in which no one noticed the absence of data from the central server. This could be attributed to the fact that the lost client information was related only to clients serviced by Jane, or possibly because the time period was relatively short. Either way, significant firm data was missing and no one even suspected a problem. The firm’s IT team had always reported that all server data was covered, the firm was backup compliant, and everything was in order. Why not believe them?
The trouble really began when Jane left the firm, taking “her” clients and their data with her. The firm finally discovered the theft of information and realized they had absolutely no backups of laptops. They then checked the tape backups, and to their horror, discovered the tapes had been completely overwritten with new information. Enough time had gone by and the data on the tapes had been replaced, as was the standard of their long-trusted backup method.
The firm recently sued.
A lawsuit meant disclosing to the SEC that the firm was out of compliance by not retaining a complete backup of client information. This could mean fines or worse. Obviously the situation is incredibly tricky and has put the firm through a massive amount of stress, worry, and regret.
We have shared this story in the hopes it may prevent tragedies like this from occurring in other firms. The reality of this situation is likely not unique and could happen to ANY RIA firm, even yours. When the IT guys report the backup system is in tip-top shape and fulfilling all data backup and compliance needs,tend to believe them and move on. This firm received poor quality advice from their computer service team, who set up a backup system which was NOT sufficient by most accounting audit standards and certainly not compliant by SEC standards. All client digital information, including client correspondence, disappeared after Jane's deletion because it was not sufficiently backed up or moved off site. The firm assumed they were completely covered when in reality, things were entirely different.
The moral of this story is: BE PROACTIVE. Instead of trusting your data backup system is in compliance because your IT guy says it is, know all the facts and determine that opinion for yourself. You never know when an unfortunate incidence like this one could uncover vulnerability you never knew you had.
Have you heard a similar horror story related to data backup systems and data loss in the RIA community, or experienced data loss in your own firm? Please comment below.