April 23, 2014
Info about Heartbleed internet security vulnerability

You've likely heard about the "Heartbleed" internet security vulnerability that's been reported in the media recently. We wanted to remind you about this and about how it may affect the internet security of your on-line financial accounts.

"Heartbleed" is an internet security vulnerability in OpenSSL, a widely-used software package for encrypting internet communications. This vulnerability potentially allowed an attacker to gain enough information to eavesdrop on customer commmunications with financial service providers' websites. Some websites were using this OpenSSL software and were potentially affected while others, who did not use OpenSSL, were not affected. Assorted media (such as CNN, etc.) have compiled lists of which websites were affected and which weren't, as well as what the status is of those affected sites in being patched.

We use a third-party service provider called "ByAllAccounts" that aggregates clients' financial accounts where we're not the investment manager on (for example, a client's 401k plan or 403b plan through an employer). This helps us manage a client's overall portfolio, including the accounts we're not listed as the investment manager on. ByAllAccounts has a system of direct links they've established with the various financial account custodians. Then, using client's on-line account access credentials, ByAllAccounts pulls this data into its aggregation system via these links.

ByAllAccounts has informed us they were using the OpenSSL software in their system that was affected by 'Heartbleed'. ByAllAccounts followed best practices by immediately obtaining and validating a patched version of OpenSSL and immediately deploying that new version in its system.

ByAllAccounts reviewed its system logs and did not find any unusual access patterns that indicate exploitation. However, in the interest of security, we suggest that clients change their online passwords for all of their financial accounts.

For changing your non-Fidelity account passwords - can you please let us know when you've done this? We can then coordinate having you go through ByAllAccounts' system to add this new password to their system (assuming you want us to continue including these accounts in our management of your portfolio).

If you have any questions about this process or this issue, please let us know. We will also continue to discuss comprehensive identity theft planning with you throughout our financial planning with you.

Thank you again for having us be your advisor.