We would think in this day and age that our large financial institutions have a handle on how to protect our personal financial information. We are constantly reminded to protect that information. Our nation’s financial institutions receive such reminders and are required by law to protect their customer’s information.
One significant source of such information that individuals need to control are the hard drives on our computers. I think it is safe to assume that most adults know that their hard drives contain sensitive information about them, their finances and their families.
Which is why we remove the hard drive from our computers when we sell or dispose of the computer.
However, it seems that Morgan Stanley Smith Barney LLC (MSSB) missed that life lesson, or simply didn’t care about the safety of its customers’ information. Yesterday, on September 20, 2022, the SEC announced that MSSB agreed to settle charges stemming from the firm’s extensive failures, over a five-year period, to protect the personal identifying information, or PII, of approximately 15 million customers.
MSSB has agreed to pay a $35 million penalty to settle the SEC charges.
According to the SEC’s press release, as far back as 2015, MSSB failed to properly dispose of devices containing its customers’ PII. On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers. Moreover, according to the SEC’s order, over several years, MSSB failed to properly monitor the moving company’s work. The staff’s investigation found that the moving company sold to a third party thousands of MSSB devices including servers and hard drives, some of which contained customer PII, and which were eventually resold on an internet auction site without removal of such customer PII. While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices.
The SEC’s order also finds that MSSB failed to properly safeguard customer PII and properly dispose of consumer report information when it decommissioned local office and branch servers as part of a broader hardware refresh program. A records reconciliation exercise undertaken by the firm during this decommissioning process revealed that 42 servers, all potentially containing unencrypted customer PII and consumer report information, were missing. Moreover, during this process, MSSB also learned that the local devices being decommissioned had been equipped with encryption capability, but that the firm had failed to activate the encryption software for years.
Naturally, since this involves a major brokerage firm, no charges were brought against any executive or individual responsible for this outrageous violation. If this involved one of the small or mid-sized firms, you can be sure the president or other executive would be fined and suspended.
Have a securities law question? Call New York Securities Lawyers at 212-509-6544.
Mark Astarita is a nationally recognized securities attorney, who represents investors, financial professionals and firms in securities litigation, arbitration and regulatory matters, including SEC and FINRA investigations and enforcement proceedings.
He is a partner in the national securities law firm Sallah Astarita & Cox, LLC, and the founder of The Securities Law Home Page - SECLaw.com, which was one of the first legal topic sites on the Internet. It went online in 1995 and is updated daily with news, commentary and securities law related links.