Morgan Stanley’s Lost Hard Drives Offer ‘Cautionary Tale’
Companies need to “be taking a look at the findings to ... make sure [they] don’t fall into the same mistakes.”
Corporate legal, compliance, and risk management chiefs would be wise to study the U.S. Securities and Exchange Commission’s (SEC’s) action against Morgan Stanley over the firm’s alleged “astonishing” failure to protect the data of millions of customers.
“Every company should take a look at it as a cautionary tale and re-examine what you’re doing,” said Don Riddick, Atlanta-based chief legal officer at Featurespace, a tech firm that detects and prevents financial crimes.
“We’ll be taking a look at the findings to decide how it might impact us and make sure we don’t fall into the same mistakes,” he added.
The SEC announced Tuesday that Morgan Stanley had agreed to pay a $35 million penalty to settle allegations that the firm had failed for five years, beginning in 2015, to protect the personally identifying information (PII) of about 15 million customers.
The SEC found that Morgan Stanley’s wealth management business hired a moving and storage company, which was not experienced in data destruction services, to decommission thousands of hard drives and servers that held massive amounts of customer data.
Gurbir Grewal, director of the SEC’s Enforcement Division, asserted in a statement that Morgan Stanley’s “failures in this case are astonishing,” adding that the firm “fell woefully short” of its responsibility to protect customer data.
He added, “Today’s action sends a clear message to financial institutions that they must take seriously their obligations to safeguard such data.”
A spokesperson for Morgan Stanley, which settled the case without admitting or denying the SEC’s findings, noted that the firm alerted any clients who might have been affected by the situation and had “not detected any unauthorized access to, or misuse of, personal client information.”
The SEC alleged that Morgan Stanley failed to properly monitor the moving company’s work over several years and that some of the devices still containing customer data ended up being sold in online auctions. The agency also reported that Morgan Stanley has not recovered the “vast majority” of the devices.
Federal regulators have “made it clear that you need to have appropriate third-party risk management and oversight,” Riddick said. “Typically, that involves supervision of third parties in high-risk activities—and it’s conceivable that the destruction of a large amount of personal data would be considered a high-risk activity.”
From: Corporate Counsel