Protecting client privacy is one of the most important responsibilities of any financial advisor. And it's about to become one of the most time-consuming and highly regulated aspects of the business as well. The challenge for small, independent firms is especially acute, and it speaks to an even larger industry problem: Regulatory compliance in this area is about to reach a whole new level of crazy.

Advisors unaware of all the changes taking place in this realm have their work cut out for them. These new mandates may require an assessment of technology capabilities, a new awareness on the part of advisory firm personnel and some real changes in advisors' practices.

One of the most disturbing trends to unfold in 2010 is that more individual states will implement their own laws for how advisors must protect the privacy of clients living in that state. These regulations are, of course, in addition to new federal regulations coming from the Federal Trade Commission (FTC), and both existing and revised regulations from the Securities and Exchange Commission (SEC). All this sits atop the industry's own standard for transporting client data from one firm to the next, the Protocol for Broker Recruiting (aka the Broker Protocol). Most disturbing, each state is looking for something a little different, creating a slew of ugly logistical and technological issues for the small advisory firm with clients in more than a couple of states.

As is often the case with burdensome mandates, California has paved the way for activism in this area. A few years ago, it became the first state to raise the stakes beyond the federal requirements. I get what is behind California's bill; for instance, it requires advisors to seek their clients' consent before sharing certain data rather than requiring them to "opt out" of information sharing.

But California mandates also detailed business measures, including the font size on the advisor's privacy notice as well as the margins on the page and the average number of words per sentence. It also requires the envelope to clients to say, in 16-point font, important privacy choices. If I'm a New York advisor and I have one client in California for whom I need to do this, complying is a bit of a hassle. But if I also have clients in Nevada, New Hampshire and Massachusetts-and each one of these states has its own rules-juggling such minutiae can quickly reach a point of insanity. And this is not simply a matter of managing a privacy program based upon the most restrictive requirements. If each state begins to mandate different language on the envelope, for example, and not just a font size, we willhave spawned a whole new industry of service providers where none previously existed (see proxy voting services).

COSTS WILL RISE

This shift means that advisors can no longer afford to be cheap in their technology spending. Data encryption is a case in point. As of the beginning of this year, Nevada requires all companies doing business in the state to encrypt any personal information transferred by electronic transmission, other than fax, outside the secure system of the business. For advisors, this would kick in whenever they send an email to anyone outside of the firm (or within the firm if they employ a hosted email platform).

Massachusetts also passed a new privacy law set to take effect later this year, after several delays and revisions. This law requires advisors to:

* Adopt and implement a written privacy program, which must meet various state-specific requirements. Affected advisors can no longer get away with the basic "off-the-shelf" privacy policy and procedures without customizing them to address the advisor's actual business practices.

* Conduct an annual, internal/external review of the program for adequacy and effectiveness. This will keep advisors current in all of their processes.

* Designate a person responsible for administering the program. Under the premise of "one noose, one neck," advisors will need to tap a real, live person to be responsible for running this initiative.

In addition, when "technically feasible," advisors are required to encrypt all client data containing personally identifiable information. By technically feasible, the law means that if there are reasonable means to do this, advisors have to comply-but don't count on any further guidance. Regulators won't clarify what those "reasonable means" are until it's time for them to bring enforcement actions against early offenders. Since encryption tools are now being built into computer hardware, operating systems and office applications, advisors seem willing to assume that there is a reasonable means to encrypt this data. Nothing in the law says it has to be fun.