Mismanagement of Client Data Results in a $35 Million Fine for Large Investment Company

Juhi Desai

Associate Editor

Loyola University Chicago School of Law, JD 2024

Morgan Stanley Smith Barney (“Morgan Stanley”), a leading investment company, found itself in hot water after complaints of a data breach. In 2015, Morgan Stanley allegedly auctioned off devices that contained sensitive information. On September 20, 2022, the U.S. Securities and Exchange Commission (SEC) fined the multinational company $35 million because of the leak.

What happened?

In 2015, as a part of their broader hardware refresh program, Morgan Stanley reportedly disposed of old computer hardware, such as hard drives and computer services. This cleanout was done with the help of a moving company that did not have the proper expertise to destroy unencrypted client data. It was during this time when sensitive information of their clients was not properly disposed of.

There were allegedly 42 hard drives that were disposed of at various times throughout the year by the investment company. These drives were later resold elsewhere with the company data still present and unencrypted. Morgan Stanley claims it was not aware the privileged information was still on the files. Most of the data on these drivers was sensitive, with the data pertaining to an estimate 15 million of their clients. Morgan Stanley was informed about a leak after an IT consultant from Oklahoma notified them about the preexisting client data on the servers he retrieved from an auction. However, they were not made aware of the leak until 2017, more than a year after the leak occurred. Although Morgan Stanley was able to recover a few of the drives, most of the leaked data was lost.

The lack of deleting privileged data was not the only thing that went wrong during this cleanout. Ironically, throughout this process, Morgan Stanley learned about the unused encryption capability their devices contained. Despite using these programs for years, Morgan Stanley neglected to trigger the encryption software. The system was meant to ensure privileged client data would be inaccessible to third parties without inputting necessary credentials. If this system was activated, the likelihood of data disclosure would have been slim to none.

The hefty fine

The SEC, a federal agency that monitors and enforces laws against market manipulation, stated in its statement dated September 20, 2022, that Morgan Stanley violated the regulation that requires “brokers and money managers to protect the security and confidentiality of certain customer records.”

The $35 million fee given to Morgan Stanley earlier this year represents a monetary punishment against the investment company. No doubt, the SEC is hoping to encourage Morgan Stanley, and other similarly situated businesses, to comply with federal laws. The agency is not shy from fining those who are not in compliance with federal rules and regulations. In 2021, the agency reportedly “imposed fines of $300,000 or less on three smaller financial -advisory firms” regarding the same issue. The SEC emphasizes how important the protection of client data is and how otherwise disastrous the data leak could have been, had the data been acquired by someone who had ill intentions.

Morgan Stanley has agreed to pay the fine without accepting or denying the charges. It states there was no misuse or “exploitation” of any sensitive data over the years. In a statement, the spokesperson for Morgan Stanley relayed how they were “pleased to be resolving this matter.”

Why it’s important?

With more people utilizing the internet and inputting their personal information into online databases, there have been growing concerns about the lack of security around sensitive client information. At the beginning of the month, numerous American Airlines employees and customers were notified their personal data, including their passport number, was compromised during an alleged data breach that occurred in July. Similarly, earlier this week Uber notified its users that an anonymous third party hacked into their internal network and may have stolen some of their customer data. Concerns regarding cybersecurity remain at the top.

Many citizens are worried these major companies are only getting a “slap on the wrist” with these fines. Instead, they hope institutions, like the SEC, should be enforcing stricter penalties to ensure a full stop to future data breaches.

As a company with high-profile clients the data that Morgan Stanley stores should be protected with the utmost integrity. Due to their respectable reputation, many clients fully entrust Morgan Stanley to keep their data private, especially from unknown third parties. It is their duty to ensure that not only are they themselves destroying privileged data but that they hire professional services to check their work before the devices are resold.

This was not the only time Morgan Stanley has been a part of a scandal concerning a data breach. The firm had previously been a party to a cybersecurity hack in 2021 after cyber-attackers hacked into the Accellion server and stole its customer’s data.

Hopefully, this hefty penalty serves as a reminder for all other organizations to ensure their data management is top tier and to invest in stronger cybersecurity.