SEC says Morgan Stanley Failed to Protect Customers’ Personal Information
According to a press release on Sept. 20, 2022, the Securities and Exchange Commission announced charges against Morgan Stanley Smith Barney LLC in connection with the firm’s alleged failures, over a five-year period, to protect the personal identifying information of approximately 15 million customers. The firm has reportedly agreed to pay a $35 million penalty to settle the SEC charges.
The SEC reportedly found that as far back as 2015, Morgan Stanley allegedly failed to properly dispose of devices containing its customers’ personal identifying information. On multiple occasions, the firm purportedly hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the personal identifying information of millions of its customers.
Further, over several years, Morgan Stanley allegedly failed to properly monitor the moving company’s work, according to the SEC. The staff’s investigation found that the moving company sold to a third-party thousands of Morgan Stanley devices including servers and hard drives, some of which contained customer personal identifying information, and which were then purportedly resold on an internet auction site without removal of such customer PII. While the firm recovered some of the devices, which were reportedly shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices.
Morgan Stanley allegedly failed to properly safeguard customer personal identifying information and properly dispose of consumer report information when it decommissioned local office and branch servers as part of a broader hardware refresh program.
Further, 42 servers, all potentially containing unencrypted customer information and consumer report information, were purportedly missing. The firm also reportedly learned through the investigation that the local devices being decommissioned had been equipped with encryption capability, but that the firm had allegedly failed to activate the encryption software for years.
“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected,” said Gurbir S. Grewal, Director of the SEC’s Enforcement Division. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”
Morgan Stanley Smith Barney reportedly consented to the SEC’s order finding that the firm violated the Safeguards and Disposal Rules under Regulation S-P and agreed to pay the penalty, without admitting or denying its findings.
Free Consultation with a Securities Fraud Attorney
This information is all publicly available and provided to you by the White Law Group. The White Law Group is a national securities arbitration, securities fraud, and investor protection law firm with offices in Chicago, Illinois and Seattle, Washington.
For a free consultation with a securities attorney, please call The White Law Group at 888-647-5510. For more information on the firm and its representation of investors please visit www.whitesecuritieslaw.com.
Tags: Morgan Stanley fine $35 M, Morgan Stanley personal info, Morgan Stanley SEC charges, Morgan Stanley Smith Barney Last modified: September 20, 2022