The Securities and Exchange Commission (SEC) has charged Morgan Stanley Smith Barney (MSSB), also known as Morgan Stanley Wealth Management, over failures to protect customers’ personal information.
The regulator alleged that, as far back as 2015, the company failed to properly dispose of devices containing clients’ personal identifying information (PII).
The SEC said that, on multiple occasions, MSSB hired a moving and storage company to remove thousands of hard drives and servers containing PII, despite the company not having any experience or expertise in data destruction services.
Additionally, the SEC added MSSB failed to monitor the moving company’s work, which sold thousands of Morgan Stanley’s hard drives and servers to a third party, which were then re-sold on an internet auction without being wiped of the clients’ data first.
MSSB managed to recover some of the devices which contained thousands of pieces of unencrypted customer information, but it was not able to take back the vast majority of the devices.
During the investigation, the SEC also found that local offices and branches of the firm used similar processes. During a records reconciliation exercise, MSSB discovered that 42 servers containing unencrypted PII were missing.
Additionally, Morgan Stanley found the local devices that had been disposed of were already equipped with encryption capabilities, but these were not activated for years.
‘Astonishing failures’
Morgan Stanley Smith Barney agreed to pay $35m (£30m, €35m) to settle the charges, but did not admit nor deny the regulator’s findings.
Gurbir Grewal, director of the SEC’s enforcement division, said: “MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.
“If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. The action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”