Compliance
Morgan Stanley Smith Barney Pays $35 Million Over "Astonishing" Client Data Lapse

The story adds to other cases of large financial institutions' lapses over protecting client information. It highlights how cybersecurity is not just about avoiding hostile forces from outside organizations – such as hackers – it is also about avoiding failings within organizations.
Morgan Stanley Smith Barney LLC, part of Morgan Stanley, has
agreed to pay $35 million to settle charges with the Securities
and Exchange Commission for “astonishing” failures to protect
the data of approximaely 15 million clients.
The firm’s failings to protect personal identifying information
took place over a period of five years, the SEC said in a
statement on September 20. This news service has asked Morgan
Stanley for comment and may update in due course.
A report by PC Mag quoted a Morgan Stanley spokesperson
as saying: "We are pleased to be resolving this matter. We have
previously notified applicable clients regarding these matters,
which occurred several years ago, and have not detected any
unauthorized access to, or misuse of, personal client
information."
The story adds to tales of how large institutions have failed to
guard information. A few days ago, the Internal
Revenue Service said it had
inadvertently put 120,000 persons’ details on a public
website. The MSSB case also raises questions about the role of
third-party data providers and how liability for problems remains
with the firm that chooses to outsource certain tasks.
Back in 2015
The SEC said that as far back as 2015, MSSB failed to properly
dispose of devices containing its customers’ PII.
“MSSB’s failures in this case are astonishing. Customers entrust
their personal information to financial professionals with the
understanding and expectation that it will be protected, and MSSB
fell woefully short in doing so,” Gurbir S Grewal, director of
the SEC’s Enforcement Division, said.
“On multiple occasions, MSSB hired a moving and storage company
with no experience or expertise in data destruction services to
decommission thousands of hard drives and servers containing the
PII of millions of its customers,” the SEC said.
Over several years, MSSB failed to properly monitor the moving
company’s work. The staff’s investigation found that the moving
company sold thousands of MSSB devices to a third-party,
including servers and hard drives, some of which contained
customer PII, and which were eventually resold on an internet
auction site without the removal of such customer PII.
While MSSB recovered some of the devices, which were shown to
contain thousands of pieces of unencrypted customer data, the
firm has not recovered most of the devices.
The SEC’s order also finds that MSSB failed to properly safeguard
customer PII and properly dispose of consumer report information
when it decommissioned local office and branch servers as part of
a broader hardware refresh program.
A records reconciliation exercise undertaken by the firm during
this decommissioning process revealed that 42 servers, all
potentially containing unencrypted customer PII and consumer
report information, were missing. Moreover, during this process,
MSSB also learned that the local devices being decommissioned had
been equipped with encryption capability, but that the firm had
failed to activate the encryption software for years.
Without admitting or denying its findings, MSSB consented to the
SEC’s order finding that the firm violated the Safeguards and
Disposal Rules under Regulation S-P and agreed to pay the $35
million penalty.