On Sept. 20, 2022, the Securities and Exchange Commission (“SEC”) charged Morgan Stanley Smith Barney LLC (MSSB) regarding the firm’s failures to protect the personal identifying information (“PII”) of approximately 15 million customers over a five-year period. “MSSB has agreed to pay a $35 million penalty to settle the SEC charges,” according to the SEC’s press release.
According to the release, MSSB failed to dispose of devices containing its customers’ PII dating back to 2015. “On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers.” The investigation discovered the moving company sold MSSB devices (some of which contained customer PII) to a third party who resold the devices on an internet auction site.
The investigation further found that MSSB failed to safeguard its customers’ PII and properly dispose of consumer report information during a broader hardware refresh program in which it decommissioned the local office and branch servers. A record reconciliation exercise conducted during this time revealed that 42 servers with potentially unencrypted customer PII and consumer report information were missing. MSSB also discovered that the firm had failed to activate the encryption software on local devices being decommissioned for years.
To read the full press release click here.
What does this mean for me?
This case highlights the importance of implementing controls to safeguard and properly dispose of sensitive information and implementing a thorough vendor review program. If you have any questions on how to comply with Safeguards and Disposal Rules under Regulation S-P or need support managing your vendors, Fairview Cyber can help. We assist firms with meeting SEC expectations risk mitigation by offering comprehensive cyber and data security solutions for businesses focused on protecting client data. Contact us today to learn more.