By: Ken Chase.
The U.S. Securities and Exchange Commission confirmed this week that it has levied a $35 million penalty against Morgan Stanley Smith Barney related to the firm’s failure to protect its customers’ personal identifying information (PII) over a five-year period. The data security failures reportedly impacted the personal information of roughly 15 million MSSB customers.
In a press release announcing the action, the SEC alleged that the firm “hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers,” and failed to implement any monitoring of the contracted company’s work.
The SEC investigation found that the devices were then sold to a third party, and ultimately ended up on an internet auction website. Some of those devices reportedly contained customer PII—information that had not been removed prior to sale. Despite later efforts by MSSB to recover the devices, the investigation found that most of them remained at large.
According to the SEC, the company’s failures also included the loss of 42 servers which went missing during a decommissioning effort at the firm’s branches. The SEC alleges that all of those servers could potentially contain customer PII, as well as consumer report data. Apparently, the company’s own investigation discovered that its personnel had not even activated the servers’ equipped encryption software.
SEC Enforcement Division Director Gurbir S. Grewal stressed the magnitude of the firm’s negligence and its potential impact on customers:
“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so. If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”