Morgan Stanley has agreed to pay a $60 million fine for its repeated failures to adequately protect customer data when disposing of old equipment.
The United States Department of Treasury’s Office of the Comptroller of the Currency said this week that both Morgan Stanley Bank NA and Morgan Stanley Private Bank NA failed to take proper precautions to protect customer data when it shut down two data centers for its U.S. wealth-management operations in 2016. The bank did not maintain inventory of the customer data on those systems, and did not properly oversee the contractors it hired to make sure customer data had been wiped from the old equipment, the OCC said in its consent order. The bank informed affected customers this July, after it was instructed to do so by the OCC, and provided two years of free credit monitoring and fraud detection services with Experian.
“Among other things, the banks failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices,” the OCC said.
The OCC said that Morgan Stanley’s failures to make sure adequate protections were in place was “part of a pattern of misconduct,” noting that the bank had a similar situation in 2019 when servers in some branch locations were replaced. Morgan Stanley told some state attorneys general it couldn’t locate the older equipment containing unencrypted customer data.
Many data breaches occur because an outside adversary bypassed security defenses or somehow compromised a system. Human error, however, was the second most common cause of data breaches in 2019 (22 percent), according to the 2020 Verizon Data Breach Investigations Report. Security missteps by contractors can turn into a data breach, which is why organizations have to be vigilant about what their partners are doing. Risk Based Security said earlier this year that there were 368 incidents involving third-party vendors in 2019, a 35 percent increase from 2017.
Morgan Stanley is reportedly considering “appropriate legal action” against the outside contractor, AdvisorHub reported over the summer.
Morgan Stanley paying the fine does not mean the financial services giant admits, or denies, the OCC’s allegations. “Nothing in this Order is a release, discharge, compromise, settlement, dismissal, or resolution of any actions,” the OCC said.
The OCC also did not impose additional business restrictions on Morgan Stanley on top of the fine because Morgan Stanley had "undertaken initial corrective actions and is committed to taking all necessary and appropriate steps to remedy the deficiencies," according to the consent order.
The OCC's role is to regulate and supervise all national banks and federal savings associations, but this fine—$60 million—doesn’t even qualify as a slap on the wrist for the bank, who reported net revenues of $13.4 billion in the second quarter of 2020 ending June 30 and full year net revenue of $41.4 billion in 2019. It is in line with the p$80 million fine Capital One agreed to pay in connection the 2019 data breach that affected approximately 106 million people. Capital One reported $28.6 billion in total revenue in 2019.
At least in the case of Capital One, the OCC required Capital One to improve its security practices and update its risk management processes.
The OCC has imposed large fines before, but not for data security violations or breaches. Just a day earlier, OCC assessed a $400 million civil money penalty against Citibank for failing "to implement and maintain an enterprise-wide risk management and compliance risk management program, internal controls, or a data governance program commensurate with the Bank’s size, complexity, and risk profile." Under the terms of the order, Citibank has to receive the OCC's "non-objection" before significant new acquisitions. OCC also reserved the authority to implement additional restrictions if Citibank does not make the necessary improvements.
The enforcement action against Citibank revolved around the bank's governance/risk/compliance activities, or to be more specific, the lack of them. OCC called out Citibank's failure to "address data governance deficiencies, including data quality errors and failures to produce timely and accurate management and regulatory reporting."
The Federal Reserve Board announced its own enforcement actions (no fine) against Citibank this week. The Fed's order requires Citibank to perform a number of actions, including conducting "a gap analysis of its enterprise-wide risk management framework and internal controls systems" and making improvements improvements to "the management information systems, data, and reports provided to Citigroup’s board of directors and senior management concerning compliance risks."
The agreement doesn’t mean Morgan Stanley is done dealing with the aftermath of the 2016 breach as the bank is facing at least two class-action lawsuits alleging negligence and invasion of privacy. The plaintiffs, former and current Morgan Stanley customers (including Smith Barney account-holders), claimed the data left on the decommissioned equipment—including Social Security numbers, passport information and other account numbers—were everything criminals would need to steal identities and make fraudulent purchases. One of the lawsuits is asking for $5 million in damages.
One of the lawsuits said plaintiffs were injured by “lost or diminished value” of their personal identification data, and the continued uncertainty and risk of identity theft.
“In addition to Morgan Stanley’s failure to prevent the Data Breach, Defendant failed to detect the Data Breach for years, and when they did discover the Data Breach, it took them over a year, possibly longer, to report it to the affected individuals and the states’ Attorneys General,” the lawsuit said.
Morgan Stanley said in a statement that it had found no evidence during its investigation or in the subsequent monitoring that anyone had improperly accessed or used the information that was on the old hardware.
“We have continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused,” Morgan Stanley told Bloomberg. “Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information.”
Morgan Stanley previously agreed to pay the Securities and Exchange Commission $1 million after a broker downloaded client data onto his personal computer. At the time, the FTC had chalked the breach, which affected up to 350,000 accounts, up to a “glitch” and did not impose sanctions.