Summary: Coming on the heels of Sephora’s violation and fine by the CCPA, Morgan Stanley’s failure to protect customers’ PII and subsequent fine by the SEC (US $35 Million) is a revelation of sorts. This fine raises pressing questions for businesses on the far-reaching implications of a data breach, as this is the second fine on Morgan Stanley for the same issue. Read this blog to understand what Morgan Stanley did wrong and how it could have avoided it. The blog will also help businesses, and customers understand the importance of data security, data erasure, and choosing the right partner to dispose of end-of-life IT assets.
One would assume that a US $60 million fine that Morgan Stanley paid for the data breach would be enough, but that’s not the case for businesses regulated by different laws and regulations. The profound impact of data breaches is for all to see and take note of. For example, Morgan Stanley’s wealth & asset management division Morgan Stanley Smith Barney L.L.C. (MSSB), has been fined by the SEC (Securities and Exchange Commission) US $35 million for its failure to safeguard customers’ PII (Personal Identifying Information).
An Insight- What Went Wrong for Morgan Stanley?
It all started in 2014 when MSSB signed a contract with a moving company for data center decommissioning, which stipulated that the moving company would pick, transport, and decommission the data center devices. The agreement also mentioned an IT company A that would provide data wiping or degaussing services before selling the devices. As a result, a significant portion of profits would go back to MBBS. In addition, it was also mentioned that the IT Company would provide detailed reports on the status of IT assets and certificates of destruction (COD). These certificates and reports are vital for audit purposes and satisfy the burden of proof required by regulatory and legal bodies.
The initial irregularities started arising in 2016 when the moving company started the decommissioning process of the data center. Here are the key points from this whole episode taken from the official ruling:
- The moving company initially sent the devices to IT Company A.
- IT Company A maintained the records for the collection, wiping, and resale process.
- Wiping was documented in the database for sold devices, but CODs were not provided.
- MSSB had access to these records and could have kept an oversight over the whole process.
- MSSB, despite having access, never monitored the records, nor did it have any contact with IT Company A to ensure that everything was done correctly.
- In the early stages of decommissioning, the moving company stopped working with IT company A and engaged IT company B without notifying MSSB.
- The inventory tracking and CODs stopped, indicating to MSSB that IT Company A was no longer in the picture.
- IT Company B was bidding on the MSSB auction for hard drives on the moving company’s instructions.
- Despite having data destruction capabilities, IT Company B was never asked by the moving company to wipe the drives.
- IT Company B was under the impression that data had been wiped from drives.
- After taking possession of the drives, IT company B provided Certificates of Indemnification (COIs).
- COIs were transmitted to MSSB via the moving company, referred to as CODs.
- MSSB should have noticed the logo and letterhead of IT Corp B on COIs, but it never reviewed them.
- If MSSB had reviewed the COIs, it would have known that hard drives were not being wiped of data, including potential customer PII and consumer report information
- Most of the devices came with an encryption feature that MSSB did not activate until 2018.
On October 25, 2017, MSSB received an email from an IT consultant in Oklahoma who had purchased the hard drives through an online auction. In that email, the consultant informed MSSB, “You are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware. Or at the very least getting some kind of verification of data destruction from the vendors you sell equipment to.”
It was in late 2017 that MSSB finally launched an investigation into the disposition of devices from the 2016 data center decommissioning.
A total of 4,900 devices, including 53 Redundant Array of Independent Disk arrays (“RAID Arrays”) with a combined capacity of about 1,000 hard drives, were handled by Moving Company. Most of these devices weren’t data-bearing, but some contained unencrypted customer PII and consumer report information. Additionally, the moving company removed 8,000 backup tapes from one of the data centers.
Another fourteen of the lost hard drives were acquired by MSSB from a downstream buyer in June 2021. According to a forensic investigation of these hard discs, thirteen of the devices held at least 140,000 pieces of consumer PII. The great bulk of the 2016 Data Center Decommissioning’s hard discs is still missing. Around 15 million impacted customers were notified by MSSB in July 2020 that “some devices assumed to have been erased of all information nonetheless included some unencrypted data,” perhaps containing PII.
Violations & Fines:
The SEC in its findings and subsequent order instituting administrative and cease-and-desist proceedings, cited the following violations:
- Safeguards Rule, Rule 30(a) of Regulation S-P, requires that covered entities, including registered broker-dealers and registered investment advisers, adopt written policies and procedures that address administrative, technical, and physical safeguards reasonably designed for the protection of customer records and information.
Since MSSB failed to develop written policies and procedures for protecting customer data, including PII or consumer report information, during the 2016 Data Center Decommissioning, it deliberately broke the Safeguards Rule.
- The Disposal Rule, Rule 30(b) of Regulation S-P, requires that covered entities that maintain or possess consumer report information for a business purpose take reasonable measures to protect against unauthorized access to, or use of, the information in connection with its disposal.
Since MSSB kept devices with consumer report data but did not take reasonable precautions to secure it throughout the 2016 Data Center Decommissioning activities, it deliberately broke the Disposal Rule.
It’s imperative to note that both these rules have been applicable since 2005.
The SEC imposed sanctions on MSSB under Sections 15(b) and 21C of the Exchange Act and Sections 203(e) and 203(k) of the Advisers Act as follows:
- Rule 30(a) and (b) of Regulation S-P infractions by MSSB must stop immediately and any future violations.
- MSSB has been censored by the SEC.
- Within 30 days of the entry of this Order, MSSB shall pay the Securities and Exchange Commission a civil money penalty of $35,000,000 for transfer to the general fund of the United States Treasury. Also, if the payment is not received within the stipulated time, it will have to pay additional interest according to 31 USC § 3717.
SEC Press Release and Its Meaning:
Gurbir S. Grewal, Director of the SEC’s Enforcement Division, said, “MSSB’s failures, in this case, are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.” Furthermore, he added, “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”
This press release and its wording indicate the times to come. SEC will not tolerate any infringement of the personal data of US citizens, and it will not allow it to go unpunished. SEC has promulgated its stance, which comes on the heels of the massive fine imposed on Sephora by Californian Attorney General Rob Bonta for violating the norms of CCPA. The message is clear America takes the privacy of its citizens very seriously, and it will not tolerate big businesses defying the standards of data privacy and protection.
How Could Morgan Stanley have Avoided this Episode- READ IT HERE!
Points to Keep in Mind: The Conclusion
Morgan Stanley’s latest incident should warn all businesses that data sanitization and destruction are as crucial as data management. This fine is a stark reminder for all who have been procrastinating the formulation of a standardized data destruction policy and implementing it as a part of data management. The government is watching, and this scrutiny will only increase once the ADPPA (American Data Privacy and Protection Act) comes into effect. So, businesses need to be extra cautious with respect to data security for preventing violations and subsequent fines.