We have quite the reminder on IT risk today courtesy of the Securities and Exchange Commission. The agency just fined a subsidiary of Morgan Stanley for poor data protection practices, which even led to one incident where the bank’s old IT equipment was sold at auction with customer data still on the hard drives.
The charges were brought against Morgan Stanley Smith Barney, the wealth management division of the bank. An SEC investigation found that at least as far back as 2015, Morgan Stanley failed to dispose of thousands of hard drives and computers properly. The bank hired a moving and storage company with no expertise in data destruction services, and over a period of several years, Morgan Stanley employees failed to monitor the moving company’s work. The moving company sold the equipment with customers’ personally identifiable information still on it, and eventually the hard drives were resold through online auction websites — with the PII still on the drives even then.
Morgan Stanley’s failures in this case were “astonishing,” SEC enforcement chief Gurbir Grewal said in a statement. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and [Morgan Stanley] fell woefully short in doing so.”
Morgan Stanley Smith Barney neither admitted nor denied the allegations, but will pay a $35 million settlement for violating the Safeguards and Disposal Rule under Regulation S-P.
The case is interesting because it reminds us that the physical risks to personal information cannot be overlooked as part of your privacy and data security compliance program. That includes proper procedures for data destruction, and especially the destruction of IT equipment. It’s a risk at the tail end of the data governance lifecycle, but ignore it at your peril.
The first incident that tripped up Morgan Stanley happened in 2016. As described in the SEC’s settlement order, the bank hired a moving company to help it dispose of thousands of devices, backup tapes, and other IT equipment, at least some of which contained customers’ PII.
In the contract for that project, the moving company did specify that it would work with an IT firm that managed data destruction — but once the decommissioning project got underway, the moving company switched to a different IT firm. That second IT firm was never vetted by Morgan Stanley, nor approved as a vendor or sub-vendor for this specific project.
You can guess what happened next. The second IT firm simply took computer equipment off the moving company’s hands and resold it on other markets; all while the moving company kept billing Morgan Stanley for data destruction services that never happened. In 2017, an IT consultant in Oklahoma emailed Morgan Stanley to say that he’d purchased some of the old hard drives online and found customer PII stored on them. “You are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware,” the consultant wrote in his email. Which is pretty much the same point the SEC made with its enforcement action today.
The SEC order describes various other failures, too. Among them:
- In 2015, the moving company collected 32,000 backup tapes from Morgan Stanley and provided them to that first IT firm for shredding — which did happen, but not according to Morgan Stanley policies. Because the tapes were so sensitive, they should have been shredded quickly; they weren’t.
- In 2016, Morgan Stanley tapped the moving company to decommission the bank’s data center in New York City. Alas, however, Morgan Stanley “does not have records sufficient to identify the number or types of devices or what data they may have contained.” So nobody is sure what happened to those devices and any PII that may have been on them.
- In 2019, the bank decommissioned 50 items known as Wide Area Application Services (WAAS) devices. In 2020, the bank discovered that (1) four of the 50 WAAS devices had gone missing; and (2) employees had mis-configured the security settings, so that older data might have been left unencrypted.
- In 2021, Morgan Stanley did a wider review and found that actually 42 WAAS devices were missing, not just the four that went MIA in 2020.
In 2020, Morgan Stanley notified roughly 15 million customers that “certain devices believed to have been wiped of all information still contained some unencrypted data,” including PII. And here we are.
Policies, Procedures, and Lessons
The SEC flagged several problems that other firms might want to heed as you review your own data destruction policies.
First, appreciate the risks here. Yes, Morgan Stanley Smith Barney did have written policies and procedures for data destruction, but they weren’t strict enough. “All decommissioning projects should have been cataloged as high risk,” the SEC order flatly stated. “MSSB’s policies and procedures, however, did not require that all such projects be treated as high risk.”
Second, design your policies and procedures to fit that high risk. Specifically, the SEC said, Morgan Stanley’s policies and procedures “failed to ensure that a qualified vendor was used for data decommissioning.” The bank knew that the moving company was just a moving company. Given the high risks surrounding customer PII, Morgan Stanley should then have paid much more attention to whether the moving company might sub-contract the data destruction part of the contract, and exercised better control over who those sub-contractors might be and what they would do.
Third, be on-point with your procedures to assess vendor risk. Morgan Stanley originally approved the moving company as a vendor in 2015, but that approval noted “security program is not independently assessed” which could bring compliance and cybersecurity risks. Still, the bank classified the moving company’s residual risk as “moderate.” Vendor approval documentation from 2016 expressly stated that there were no material sub-vendors in scope for the assessment, but omitted the fact that moving company’s security plan hadn’t been independently assessed.
Well, if Morgan Stanley had classified data destruction projects as high risk (which it didn’t, but as noted in our first point above, it should have), then ideally that should have triggered a closer review of the moderate-risk moving company working on the contract even though nobody had done a security assessment.
We could go on from there (the SEC order certainly does), but the point is clear. Data destruction is an important part of privacy compliance, and it will typically involve third parties — so your company needs to bring sufficient third-party risk oversight to bear on this decidedly unsexy, but important, part of privacy compliance and risk management.
Something to think about next time you’re ready to upgrade your workstation.