The story adds to other cases of large financial institutions' lapses over protecting client information. It highlights how cybersecurity is not just about avoiding hostile forces from outside organizations – such as hackers – it is also about avoiding failings within organizations.

Morgan Stanley Smith Barney LLC, part of Morgan Stanley, has agreed to pay $35 million to settle charges with the Securities and Exchange Commission for “astonishing” failures to protect the data of approximaely 15 million clients. 

The firm’s failings to protect personal identifying information took place over a period of five years, the SEC said in a statement on September 20. This news service has asked Morgan Stanley for comment and may update in due course.

A report by PC Mag quoted a Morgan Stanley spokesperson as saying: "We are pleased to be resolving this matter. We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information."

The story adds to tales of how large institutions have failed to guard information. A few days ago, the Internal Revenue Service said it had inadvertently put 120,000 persons’ details on a public website. The MSSB case also raises questions about the role of third-party data providers and how liability for problems remains with the firm that chooses to outsource certain tasks.

Back in 2015
The SEC said that as far back as 2015, MSSB failed to properly dispose of devices containing its customers’ PII. 

“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” Gurbir S Grewal, director of the SEC’s Enforcement Division, said.

“On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers,” the SEC said.

Over several years, MSSB failed to properly monitor the moving company’s work. The staff’s investigation found that the moving company sold thousands of MSSB devices to a third-party, including servers and hard drives, some of which contained customer PII, and which were eventually resold on an internet auction site without the removal of such customer PII. 

While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered most of the devices.

The SEC’s order also finds that MSSB failed to properly safeguard customer PII and properly dispose of consumer report information when it decommissioned local office and branch servers as part of a broader hardware refresh program.

A records reconciliation exercise undertaken by the firm during this decommissioning process revealed that 42 servers, all potentially containing unencrypted customer PII and consumer report information, were missing. Moreover, during this process, MSSB also learned that the local devices being decommissioned had been equipped with encryption capability, but that the firm had failed to activate the encryption software for years.

Without admitting or denying its findings, MSSB consented to the SEC’s order finding that the firm violated the Safeguards and Disposal Rules under Regulation S-P and agreed to pay the $35 million penalty.