Each day, family offices receive, relay, and manage a family’s private information. Depending on the family and the role of the family office, the information managed can be voluminous and include financial information, tax identification numbers, account numbers, health and health insurance information, estate planning documents and even home security system information. Oftentimes, the family office transmits information to family members via various forms of communication. Younger generations may respond only to text messaging, another generation may prefer e-mail, and older generations may prefer snail mail. None is immune to a security breach.
A recent New York Times article states “The number of new digital threats has increased 10,000-fold over the last 12 years. Last year, over 552 million people had their identities stolen and nearly 25,000 Americans had sensitive health information compromised – on a daily basis.” Approximately 47 states now have data breach statutes. Generally, these statutes define the information covered and the obligations of the “information holder” upon discovery of a breach.
How does a family office protect the family’s private information, yet maintain transparency and open communications while providing the services required in the manner expected? The first and most important task for the family office is to determine exactly what it has and how to best protect it. In the privacy world, this is referred to as “information governance.”
Information governance requires the family office to put its “house in order” to enable it to secure its most valuable asset – the family’s information. It establishes a consistent and logical framework for family office employees to handle data. This framework is implemented through an information governance policy.
Establishing the policy should involve all relevant parties and take into account the culture, responsibilities, operations, and technology of both the family office and the family. The policy should also consider particular challenges posed by both the family office and the family. What information does the office manage for the family and each particular member of that family? How and how often is that information communicated? Depending on the type of information and type and frequency of communication, there are different practical and legal considerations, which may not be limited to privacy concerns.
The information governance policy should address information management. How will the office decide what information should be saved (with a goal of minimizing redundancy), and what information should be deleted? If saved, how and where will it be stored? Conversely, if deleted, how and when will it be deleted? Again, different practical and legal considerations will apply depending on the type of information.
The past year was one of a record-setting number of hacking incidents. Family offices must remain vigilant and stay abreast of constant threats to their family’s information and the legal obligations imposed to protect it.