The Securities and Exchange Commission has fined Morgan Stanley Smith Barney (MSSB) for failing to protect its customers’ personal identifying information (PII) over a five-year period. The SEC claims that Morgan Stanley not only did not destroy its clients’ personal data from hard drives set to be decommissioned but also hired unqualified companies to do so.
The SEC has discovered that Morgan Stanley did not properly dispose of storage devices containing its customers’ PII dating as far back as 2015. The commission also found out that in several cases, Morgan Stanley contracted a “moving and storage company with no experience or expertise in data destruction services” to retire thousands of HDDs and servers containing the personal information of millions of its clients. Instead of destroying the drives and server, the company sold them to a third party, which sold them on an Internet auction.
Typically, companies dealing with sensitive data use hardware security modules (HSMs) such as Marvell’s LiquidSecurity, self-encrypting drives (SED), or at least encrypt the data via software. Decommissioning a SED is a fast and easy process as it only requires erasing the encryption key from the drive. Morgan Stanley did not use SEDs and did not encrypt data on its servers, even though the latter supported such capability. Usually, decommissioning a server with unencrypted data requires erasing all the data and ensuring it is impossible to recover it, which in many cases includes the physical destruction of storage devices. Yet, MSSB’s contractors did not do that, and MSSB did not properly monitor its work.
Finally, Morgan Stanley found that 42 servers, all hypothetically storing unencrypted customer PII and consumer report information, were essentially lost or stolen by the moving company.
“Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” said Gurbir S. Grewal, Director of the SEC’s Enforcement Division. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”
Morgan Stanley agreed to pay a $35 million fine without admitting guilt or denying the SEC’s findings.
