The Securities and Alternate Fee has fined Morgan Stanley Smith Barney (MSSB) for failing to guard its clients’ private figuring out info (PII) over a five-year interval. The SEC claims that Morgan Stanley not solely didn’t destroy its shoppers’ private information from laborious drives set to be decommissioned but in addition employed unqualified corporations to take action.
The SEC has found that Morgan Stanley didn’t correctly eliminate storage gadgets containing its clients’ PII relationship way back to 2015. The fee additionally discovered that in a number of circumstances, Morgan Stanley contracted a “transferring and storage firm with no expertise or experience in information destruction providers” to retire hundreds of HDDs and servers containing the private info of hundreds of thousands of its shoppers. As an alternative of destroying the drives and server, the corporate bought them to a 3rd celebration, which bought them on an Web public sale.
Sometimes, corporations coping with delicate information use {hardware} safety modules (HSMs) akin to Marvell’s LiquidSecurity, self-encrypting drives (SED), or at the very least encrypt the info through software program. Decommissioning a SED is a quick and straightforward course of because it solely requires erasing the encryption key from the drive. Morgan Stanley didn’t use SEDs and didn’t encrypt information on its servers, despite the fact that the latter supported such functionality. Often, decommissioning a server with unencrypted information requires erasing all the info and guaranteeing it’s not possible to recuperate it, which in lots of circumstances consists of the bodily destruction of storage gadgets. But, MSSB’s contractors didn’t try this, and MSSB didn’t correctly monitor its work.
Lastly, Morgan Stanley discovered that 42 servers, all hypothetically storing unencrypted buyer PII and shopper report info, have been primarily misplaced or stolen by the transferring firm.
“Clients entrust their private info to monetary professionals with the understanding and expectation that it is going to be protected, and MSSB fell woefully quick in doing so,” mentioned Gurbir S. Grewal, Director of the SEC’s Enforcement Division. “If not correctly safeguarded, this delicate info can find yourself within the fallacious palms and have disastrous penalties for buyers. Right this moment’s motion sends a transparent message to monetary establishments that they need to take critically their obligation to safeguard such information.”
Morgan Stanley agreed to pay a $35 million wonderful with out admitting guilt or denying the SEC’s findings.