In one episode described by the SEC, Morgan Stanley hired a moving company — which had “no experience or expertise” in data destruction — to remove thousands of hard drives and servers containing client data.
The moving company later sold thousands of Morgan Stanley devices, some of which contained personally identifiable information, to a third party, the SEC said.
Those devices were eventually sold on an Internet auction site — without removing sensitive data, according to the settlement.
Morgan Stanley was able to recover some of those devices, which contained “thousands of pieces of unencrypted customer data,” the SEC said.
“The company has not recovered the majority of the devices,” according to the settlement.
Morgan Stanley’s “failures in this case are staggering,” Gurbir Grewal, director of the SEC’s enforcement division, said in a statement. “If not properly protected, this sensitive information can fall into the wrong hands and have disastrous consequences for investors.”
In addition to hard servers and drivers, the SEC found that Morgan Stanley failed to protect client data and properly delete consumer reporting information in other ways, including when the firm shut down local office and branch servers. The settlement said a Morgan Stanley review found 42 servers, all of which were “missing” unencrypted data and consumer reporting information.
Morgan Stanley agreed to pay the fine without admitting or denying the consequences of the settlement.
In a statement, Morgan Stanley said it is pleased to have resolved this issue and expressed confidence that no sensitive data was exploited.
“We have notified clients in advance of these applicable matters, which occurred several years ago, and have not detected any unauthorized access or misuse of clients’ personal information,” Morgan Stanley said in the statement.