A recent Cetera AdvisorNews article provided a compliance update regarding emails with personally identifiable information (PII). Beginning 3/31/2025, emails with PII will be automatically encrypted. This is an extra layer of protection and is a great enhancement.
But what does this mean to you? This extra layer of protection only applies if your email is “hosted” by Cetera. Not sure who hosts your email? Contact Scott Sirois, Director of Alignment & Technology with Prosperity Network. Scott@prosperityadvisors.com. 913-451-4501.
Email is “hosted” by Cetera
- Is your email hosted by Cetera? If so, this extra layer of email protection is provided by Cetera.
- HOWEVER, you are still required to send any email that has PII in the body of the email or in an email attachment securely.
- When your email is hosted by Cetera, you need to put [secure] in the subject line of the email to proactively send the email securely. This will engage the email encryption service that is included with Cetera’s O365 hosting. Your recipient will receive a secure email notification through which they can gain access to the email you sent them.
- If Cetera is providing automatic encryption, WHY do I still have to manually encrypt? The Cetera system scans to detect PII and will then add the encryption layer. HOWEVER, this system could miss some PII. Therefore, if the sender KNOWS there is PII in the body of the email or in an attachment, Cetera’s policy states the sender is required to manually encrypt the email. The sender is responsible for sending any PII in a secure manner.
Email is NOT “hosted” by Cetera:
- If your email is NOT hosted by Cetera, the new extra layer of email protection is not provided.
- It is your responsibility to ensure any email that has PII in the body of the email or in an attachment is sent in a secure and encrypted manner.
- You must determine if your current email host provider has a secure and encrypted email transport available for you to use. If so, please confirm with Cetera (or Prosperity) that it is an approved solution.
- If the email host provider does not offer an approved secure email transport, you must subscribe (additional cost to you) to an approved secure and encrypted transport service and add it to your existing email service.
- If you do not have a secure and encrypted email transport service, then you cannot send any emails that contain PII. You must ensure there is no PII before sending the email. An alternative would be to send the information to the client via fax or securely via the client portal in AdviceWorks.
REMINDER: Do NOT put any PII in the subject line of any email. The subject line is NOT encrypted when using [secure].
NOTE: The AdvisorNews article mentioned other methods of sharing PII with clients such as SharePoint or Box.com. HOWEVER, we have received guidance from Cetera that SharePoint is NOT approved for use with clients. Please contact the Prosperity Network OSJ prior to any use of Box.com to ensure it is being used compliantly.
Please contact the Prosperity Network Compliance Team with any questions: compliance@prosperityadvisors.com or 913-529-5500 Option 2.
Dianne L. Eggert, CFE
Compliance Manager
Internal Use Only