SEC’s Victory: Morgan Stanley Smith Barney Will Pay $35 Million For Failing to Protect Clients’ Data
For Significant Failures to Protect the Personal Information of Millions of Customers, Morgan Stanley Smith Barney Will Pay $35 Million.
Charges were brought against Morgan Stanley Smith Barney LLC (MSSB) by the Securities and Exchange Commission today due to the company’s repeated failures over a five-year period to secure the personally identifiable data, or PII, of around 15 million clients. To resolve the SEC’s allegations, MSSB has agreed to pay a $35 million fine.
The SEC’s ruling reveals that MSSB failed to properly dispose of devices storing its customers’ PII as early as 2015, according to the SEC. Multiple times, MSSB contracted with a relocation and store firm that had any knowledge or experience in data destruction services to decommission thousands of servers as well as hard drives that contained millions of customers’ PII. In addition, the SEC’s decision claims that MSSB neglected to properly oversee the operations of the moving firm for a number of years.
According to the staff’s research, the moving business sold thousands of MSSB items, such as servers and hard drives, to a third party. Some of these items had customer PII, and they were then resold on an online auction site without being scrubbed of it. While MSSB has retrieved a small number of the devices, the company has not done so for the great majority of the devices, which turned out to have thousands of pieces of unprotected client data.
When decommissioning local office and branch servers as part of a larger hardware renewal effort, MSSB did not adequately secure customer PII or safely dispose of client report data, according to the SEC’s order. 42 servers, all possibly carrying unencrypted customer PII and consumer report information, were discovered to be missing during a records reconciliation exercise the company conducted as part of this decommissioning procedure. Additionally, the business had for years neglected to activate the software that encrypted data on the local machines that were being retired, which was something MSSB discovered during this procedure.
Information Could Have Fell Into The Wrong Hands –
“MSSB’s mistakes in this instance are astounding. Customers trust financial experts with their personal information with the knowledge and expectation that it will be protected; nevertheless, MSSB severely failed to meet this expectation, according to Gurbir S. Grewal, Director of the SEC’s Enforcement Division. “If not adequately protected, this sensitive information might fall into the wrong hands and do terrible harm to investors. With today’s action, financial companies are clearly warned that they must take their responsibility to protect such data seriously.
MSSB complied with the SEC’s ruling finding that the company violated the Safeguards and Disposal Rules under Regulation S-P without contesting or rejecting its findings, and agreed to pay the aforementioned fine.
Olivia Zach of the SEC’s New York office led the investigation, which was overseen by Celeste Chase and Sanjay Wadhwa.