Morgan Stanley’s wealth management arm hit with $35m data protection fine
The wealth management arm of Morgan Stanley, Morgan Stanley Smith Barney (MSSB), has been hit with a $35 million penalty by the US Securities and Exchange Commission (SEC) for what the regulator describes as “astonishing” customer data protection failures.
The SEC says that MSSB, since 2015 and over a five-year period, failed to protect the personal identifying information (PII) of approximately 15 million customers.
The firm allegedly employed a moving and storage company on multiple occasions with no “experience or expertise” in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of MSSB customers.
The SEC investigation found that the moving company sold thousands of such servers and hard drives, still replete with unencrypted customer data and other PPI, to a third party which were then sold online.
Additionally, the SEC says the firm failed to safeguard PPI and properly dispose of consumer report information as it underwent a hardware refresh programme.
The regulator adds that an exercise undertaken by the firm during this decommissioning process revealed that 42 servers, all potentially containing unencrypted customer PII and consumer report information, were missing.
The SEC says that MSSB also learned that the local devices being decommissioned had been equipped with encryption capability, but that the firm had failed to activate the encryption software for years.
The wealth management firm did not admit nor deny the SEC’s findings but agreed to pay the $35 million penalty in full to settle the charges.
SEC enforcement division director Gurbir Grewal says: “MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.
“If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”