The Duty of Confidentiality and Privacy Requires Reasonable Steps to Protect Client Information
CFP Board has developed a series of case studies to provide practical guidance to CFP® professionals and their firms on the new Code and Standards. Each case study presents a hypothetical factual circumstance and then asks a question about a CFP® professional’s duty in that circumstance under the Code and Standards.
Mei is a CFP® professional who works for a financial services firm. She is the financial professional for Clients Jin and Fen.
Mei meets with Jin and Fen to discuss updates to their financial plan. Based upon the meeting, Mei needs to send documents to Jin and Fen. Mei uses her firm’s e-mail system to share documents with Jin and Fen. However, the firm was experiencing a system error and the firm’s email system was inoperative.
Because some of the documents were time-sensitive, including documents that required a same-day response, Mei does not believe she can wait for the firm’s systems to come back online. Instead of waiting, Mei emailed the relevant documents to her personal email, which is a commercially available email software that does not include the same level of protection as her firm’s email system. Mei then used her personal email to send the documents to Jin and Fen.
QUESTION:
Did Mei’s actions violate the Code of Ethics and Standards of Conduct?
Response A is not the best response. While Mei may have believed that her personal email was secure, that is not enough by itself to meet the standard.
Response B is not the best response. Mei’s disclosure to the clients is irrelevant to the issue of whether the use of personal email violated CFP Board’s Duty of Confidentiality and Privacy.
Best Response: Response C is the best response. This case involves the Duty of Confidentiality and Privacy (Standard A.9.).
A CFP® professional, either directly or through the CFP® Professional’s Firm, must take reasonable steps to protect the security of non-public personal information about any client, including the security of information stored physically or electronically, from unauthorized access that could result in harm or inconvenience to the client.
Mei’s failure to ensure that she took prudent steps to protect this client information is demonstrated by the fact that this information was sent to or stored on a personal email inbox that did not have the same level of protection the information would have had if it had remained on the firm’s email system.
Response D is not the best response. The clients’ needs to receive documents does not negate the responsibility to ensure the transfer of those documents is secure.
Relevant Standard:Confidentiality and Privacy (Standard A.9.).
Access More Guidance Materials
This compliance resource is part of a full library of resources that CFP® professionals can use to comply with the Code and Standards. More guidance materials can be found in our Compliance Resources Library.