Morgan Stanley Gets Slapped With $35 Million Fine After Failing To Wipe And/Or Encrypt Hard Drives That Eventually Were Resold

Well, this is one hell of a screw up.

A reader pointed out to me that the SEC has fined Morgan Stanley $35 million. The press release that the SEC put out has these details:

The Securities and Exchange Commission today announced charges against Morgan Stanley Smith Barney LLC (MSSB) stemming from the firm’s extensive failures, over a five-year period, to protect the personal identifying information, or PII, of approximately 15 million customers. MSSB has agreed to pay a $35 million penalty to settle the SEC charges.

The SEC’s order finds that, as far back as 2015, MSSB failed to properly dispose of devices containing its customers’ PII. On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers. Moreover, according to the SEC’s order, over several years, MSSB failed to properly monitor the moving company’s work. The staff’s investigation found that the moving company sold to a third party thousands of MSSB devices including servers and hard drives, some of which contained customer PII, and which were eventually resold on an internet auction site without removal of such customer PII. While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices.

The SEC’s order also finds that MSSB failed to properly safeguard customer PII and properly dispose of consumer report information when it decommissioned local office and branch servers as part of a broader hardware refresh program. A records reconciliation exercise undertaken by the firm during this decommissioning process revealed that 42 servers, all potentially containing unencrypted customer PII and consumer report information, were missing. Moreover, during this process, MSSB also learned that the local devices being decommissioned had been equipped with encryption capability, but that the firm had failed to activate the encryption software for years.

Wow. There are a lot of #fails her. And quite honestly if I were a Morgan Stanley customer, I would be pissed.

Yes I said it.

The fact is that in 2015 never mind 2022, this is completely unacceptable. Companies need to handle Personally Identifiable Information or PII with the upmost of care. Morgan Stanley didn’t and it’s cost them. Though seeing as they agreed to pay this fine to make this problem go away as I suspect they figured out that they were in deep trouble when the SEC knocked on their door.

Hopefully, companies who handle PII are paying attention to this and hopefully the SEC doles out more punishment like this to send the message that if you screw this up, you will pay.

Leave a Reply