The Securities and Change Fee has fined Morgan Stanley Smith Barney (MSSB) for failing to guard its clients’ private figuring out data (PII) over a five-year interval. The SEC claims that Morgan Stanley not solely didn’t destroy its shoppers’ private information from onerous drives set to be decommissioned but additionally employed unqualified firms to take action.
The SEC has found that Morgan Stanley didn’t correctly eliminate storage units containing its clients’ PII courting way back to 2015. The fee additionally came upon that in a number of circumstances, Morgan Stanley contracted a “shifting and storage firm with no expertise or experience in information destruction companies” to retire hundreds of HDDs and servers containing the private data of hundreds of thousands of its shoppers. As an alternative of destroying the drives and server, the corporate offered them to a 3rd social gathering, which offered them on an Web public sale.
Usually, firms coping with delicate information use {hardware} safety modules (HSMs) corresponding to Marvell’s LiquidSecurity, self-encrypting drives (SED), or at the very least encrypt the information through software program. Decommissioning a SED is a quick and straightforward course of because it solely requires erasing the encryption key from the drive. Morgan Stanley didn’t use SEDs and didn’t encrypt information on its servers, despite the fact that the latter supported such functionality. Normally, decommissioning a server with unencrypted information requires erasing all the information and making certain it’s inconceivable to recuperate it, which in lots of circumstances consists of the bodily destruction of storage units. But, MSSB’s contractors didn’t do this, and MSSB didn’t correctly monitor its work.
Lastly, Morgan Stanley discovered that 42 servers, all hypothetically storing unencrypted buyer PII and shopper report data, have been primarily misplaced or stolen by the shifting firm.
“Prospects entrust their private data to monetary professionals with the understanding and expectation that it will likely be protected, and MSSB fell woefully brief in doing so,” mentioned Gurbir S. Grewal, Director of the SEC’s Enforcement Division. “If not correctly safeguarded, this delicate data can find yourself within the unsuitable palms and have disastrous penalties for buyers. At present’s motion sends a transparent message to monetary establishments that they need to take severely their obligation to safeguard such information.”
Morgan Stanley agreed to pay a $35 million positive with out admitting guilt or denying the SEC’s findings.