What Evernote’s Privacy U-turn Teaches Us About Enterprise Security and Compliance

And Why Investment Managers Should Take Note

Over the last 12 months we’ve seen a growing number of CTOs and PMs try to place a fund-wide ban on the consumer-based note-taking app for research analysts. Sounds extreme for an app that’s simply designed to help individuals be more productive, right?

But while analysts look to these sorts of consumer-based software applications to help solve their workflow needs, they can expose themselves and their firms to various privacy and regulatory compliance risks.

Most fund managers already know this. However, following Evernote’s very public privacy policy debacle, so do pretty much all of its users across all walks of life, and all industries. And they’re none too pleased.

Such compliance, cybersecurity and privacy concerns are not limited to Evernote by any means. However, its December decision to ‘revert’ its latest privacy update, in which employees had permission to access private note content in certain circumstances, has served to expose the very real challenges of adopting consumer-driven tools in highly-regulated industries and enterprise-led environments.

This article delves into the key privacy, security and compliance lessons learned, and sheds light on what fund managers need to be wary of when it comes to the apps they chose to store, save and share their sensitive investment data and research.


Privacy is important to you? Oh, right, well…

The change to Evernote’s privacy policy, which was due to come into effect on 23rd January, would have given Evernote staff permission to read private note content created by its users in order to test the accuracy of its new machine learning technology.

In an update published on 12/13/16 Evernote users took issue with the following :

The latest update to the Privacy Policy allows some Evernote employees to exercise oversight of machine learning technologies applied to account content,the announcement (which is no longer available) stated. While our computer systems do a pretty good job, sometimes a limited amount of human review is simply unavoidable in order to make sure everything is working exactly as it should.

A backlash ensued.

Secure Evernote Alternative on Twitter

A few weeks later, Evernote made a U-turn and scrapped the planned privacy changes with CEO, Chris O’Neil, apologizing and stating that it was “communicated poorly”.

But January 23rd has come and gone, so you probably know all this. What may be less clear is what the whole saga says about the wider consumer to enterprise note-taking marketplace as a whole, and that Evernote is by no means alone in adding a “manual” element to its “automation” processes, or implementing practices that can make meeting SEC compliance regulations, such as recordkeeping and data management, that little bit harder.

All in the name of machine-learning

Evernote used machine learning and AI as its justification for changes to privacy practices. As an article in The Register from the time noted…’this is not entirely unusual amongst cloud services – although providers are typically coy about publicising it.’

It’s not just consumer technology either. There are – for example – a number of hedge fund research management systems that apply similar principles to those of  Evernote’s recently pulled privacy policy on employee access and permission to read notes in the name of machine learning.

When it comes to a supplier’s definition of automation, say for auto-tagging, firms must be wary of how often and in what circumstances said supplier readily accesses your sensitive notes and information to ‘check’ that the process is working okay, help the machine learning system along, and ultimately correct any issues manually.

It is in fact more common than many think. The question is how transparent suppliers are about the extent of content access. That’s where your due-diligence kicks in.

Want no surprises? Do your due diligence.

If hedge fund analysts use Evernote for day-to-day note taking, the chances are it has managed to escape the full-force of the firm’s supplier due-diligence process.

While the privacy policy saga shows exactly why that would be a mistake, it shouldn’t be the case for a system designed for the investment management industry, adopted firm wide and purchased through official procurement channels. The increased importance of due diligence questionnaires (DDQ) cannot be overlooked.

Take the best practices and guidelines in the AITEC (Alternative Investment Technology Executive Club) DDQ survey. Made up of over 14 sections, it’s anything but basic, and critically it covers privacy and cybersecurity controls from content access, encryption and network security to incident response policies and software practices.

It ensures your suppliers follow the strictest security standards, and that there are no surprises when it comes to privacy policies and access controls.

Private by default. Compliant by design.

The Evernote privacy backlash demonstrated that consumers want their content to be private by default. For enterprise-users, specifically in the investment management industry, they also need the software that enables that to be compliant by design.

If you don’t like the idea of a consumer cloud-based service being able to access your account content at will you may need to look very closely at your mobile app estate. And if you don’t like the idea of your compliance integrity, say for recordkeeping and data management, coming under the SEC spotlight, you’ll need to look at your third party-suppliers.

Compliance checks – from back-up and disaster recovery to separation of client data, through to assessing any conflict of interest between your data and the commercial activities of your supplier – need to happen upfront, and on a continual basis to ensure the relationship between you, your supplier and your data is sound.

What does that all mean in practice?

As we stated at the beginning of the article, many fund managers are already wary of certain compliance and security gaps in consumer-led applications. The three most common reasons funds are reconsidering Evernote and other consumer tools for investment research today are:

  1. They fall short on data management regulations
  2. Makes meeting recordkeeping requirements increasingly difficult
  3. Encourages information silos and impacts cybersecurity examination preparedness

With the recent U-turn and privacy headlines not going anywhere, we can expect that trend to continue. However, if there is one takeaway from the privacy backlash, it is that fund managers should not save these concerns for consumer tools alone.

Any software that’s in play at your fund – whether downloaded from the app store with a credit card, or procured through official channels from the corporate IT budget – should undergo rigorous and continuous assessment to ensure it meets all your compliance and cybersecurity needs.

Of course there is always a way for your fund to deploy additional systems, processes and bespoke technology practices to meet security compliance regulations with any software you implement. Whether it’s the addition of building bespoke technology, multiple integrations and APIs or tailor made security processes, it’s certainly achievable – with work.

However, in a time when compliance and cybersecurity is complicated enough, and small efficiencies are paramount to success, adding in layers of complexity is becoming less and less favorable as funds seek out technology that has a ‘compliant by design’ approach.

One thing’s for sure, you cannot avoid the consumer usability appeal. Both Evernote’s changes to its pricing and plans last year and its more recent privacy policy caused a vocal crowd of frustrated research analysts and investors to seek out the best Evernote alternatives for Investment professionals.

And you can be sure they weren’t looking just for compliant solutions, they were looking for usable ones.

If you’re looking to discuss your approach to ensuring compliant and secure access to your research data, or want to learn more about the risks and realities of consumer software in your research practices, get in touch.