The Securities and Exchange Commission (SEC) has reached a deal with Morgan Stanley over the latter’s failure to protect customer data.
According to the SEC, Morgan Stanley Smith Barney LLC (MSSB) failed to properly dispose of hard drives containing customer data over a five-year period. Instead, the firm relied on an outside company that was ill-qualified to destroy and decommission thousands of hard drives for the firm, putting the data of 15 million customers at risk.
To make matters worse, some of the hard drives found their way onto an internet auction site still containing customers’ personal information. MSSB was able to recover some of the drives, but the vast majority were never recovered.
MSSB also failed to use various security measures that were available. For example, many of the drives had encryption capability built in, but the firm had not activated it, leaving the data unprotected.
As a result of its failings, the SEC has charged MSSB a $35 million penalty, which the firm has agreed to pay.
“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” said Gurbir S. Grewal, Director of the SEC’s Enforcement Division. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”