A group of attorneys general have fined Morgan Stanley $6.5 million for “negligent internal data security practices” when disposing of old devices, and they will require the investment banking giant to take a number of steps to improve its security.
The fine stems from two previously known data security incidents. In the first, in 2016, Morgan Stanley hired a contractor to decommission thousands of hard drives and servers with sensitive data. However, the company had no experience with data destruction services, and devices were then sold on auctions that still contained unencrypted personal customer data, according to the AG release. The ensuing attorneys general investigation found that Morgan Stanley had not adequately monitored this contractor’s work and didn’t discover the issue until a downstream purchaser found the data and notified the company.
In the second incident, Morgan Stanley discovered during a decommission process that 42 servers potentially containing unencrypted customer data were missing. The company also discovered that the local devices being decommissioned possibly contained unencrypted data due to a manufacturer flaw in the encryption software, according to the attorneys general investigation.
“The multistate investigation found that Morgan Stanley failed to maintain adequate vendor controls and hardware inventories, and that had these controls been in place, both data security events could have been prevented,” according to a release by Letitia James, New York attorney general, last week. The investigation also involved attorneys general from states where residents’ data were impacted, including Connecticut, Florida, Indiana, New Jersey and Vermont.
In 2020, the U.S. Department of Treasury’s Office of the Comptroller of the Currency (OCC) fined Morgan Stanley $60 million for these incidents. At the time, the OCC noted that Morgan Stanley did not maintain an inventory of the data on the involved devices and did not properly oversee the security practices of the companies it had hired.
Even that $60 million fine is a drop in the bucket for Morgan Stanley, which recently reported net revenue earnings of $13.3 million for its third quarter of 2023 ended Sept. 30. Unlike that previous $60 million penalty from 2020, however, Morgan Stanley is now being required to adopt several provisions to improve its security, in addition to a monetary fine.
As part of the AG agreement, Morgan Stanley must encrypt all personal data, maintain a written policy governing the collection, use, retention and disposal of customer data, and create a security program with “regular updates that are necessary to reasonably protect the privacy, security and confidentiality of personal information.”
Additionally, the company must employ a manual process with automated tools to locate all hardware with personal data, create an incident response plan and employ a vendor risk assessment for making sure that vendors are compliant with the company’s data security requirements.
Companies decommission various end-of-life devices to either repurpose or dispose of them, but it is critical for appropriate security measures to occur beforehand. For instance, companies should maintain an inventory of their various devices so they know what devices require security measures for decommissioning, and if it contains encrypted data.
“We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to have resolved this related investigation,” according to a Morgan Stanley spokesperson.