Morgan Stanley Smith Barney has agreed to pay a $35 million fine to settle claims that it failed to protect the personal information of about 15 million customers, the Securities and Exchange Commission said on Tuesday.
In a statement announcing the settlement, the S.E.C. described what it called Morgan Stanley’s “extensive failures,” over a five-year period beginning in 2015, to safeguard customer information, in part by not properly disposing of hard drives and servers that ended up for sale on an internet auction site.
On several occasions, the commission said, Morgan Stanley hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the personal information of millions of its customers.
The moving company then sold thousands of the devices to a third party, and the devices were then resold on an unnamed internet auction site, the commission said.
An information technology consultant in Oklahoma who bought some of the hard drives on the internet chastised Morgan Stanley after he found that he could still access the firm’s data on those devices.
Morgan Stanley is “a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware,” the consultant wrote in an email to Morgan Stanley in October 2017, according to the S.E.C.
The firm should, at a minimum, get “some kind of verification of data destruction from the vendors you sell equipment to,” the consultant wrote, according to the S.E.C.
Morgan Stanley eventually bought the hard drives back from the consultant.
Morgan Stanley also recovered some of the other devices that it had improperly discarded, but has not recovered the “vast majority” of them, the commission said.
The S.E.C. said it also found that Morgan Stanley had not properly disposed of consumer report information when it decommissioned servers from local offices and branches as part of a “hardware refresh program” in 2019. Morgan Stanley later learned that the devices had been equipped with encryption capability, but that it had failed to activate the encryption software for years, the commission said.
Gurbir S. Grewal, director of the commission’s enforcement division, said that Morgan Stanley’s failures in the case were “astonishing.”
“Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” he said in a statement. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”
Morgan Stanley agreed to pay the $35 million penalty to the general fund of the United States Treasury Department, without admitting or denying the commission’s findings, the S.E.C. said.
Morgan Stanley said in a statement that it was “pleased to be resolving this matter.”
“We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” the firm said in a statement.
Source: NY Times