Morgan Stanley Settles with SEC on Customer Information Disclosure

The Securities and Exchange Commission issued a press release today detailing charges that had been brought against Morgan Stanley Smith Barney LLC (Morgan Stanley). The release explained that the charges stemmed from “the firm’s extensive failures, over a five-year period, to protect the personal identifying information, or PII of approximately 15 million customers.” Morgan Stanley will pay $35 million to settle the charges.

The charges span back to 2015 when the company failed to properly wipe information from devices that it was disposing. Morgan Stanley allegedly hired a moving and storage company who possessed no experience in data destruction, meaning that when hard drives and servers were being disposed of, they still had the personal identifying information of customers on them. Following this, Morgan Stanley failed to properly monitor the moving and storage company’s work.

An investigation revealed that the moving and storage company sold the Morgan Stanley servers and hard drives to a third party. Eventually, all of the devices were resold “on an internet auction site without removal of such customer PII.”

Although Morgan Stanley recovered some of the devices, most have not been recovered. The SEC found that Morgan Stanley “failed to properly safeguard customer PII and properly dispose of consumer report information when it decommissioned local office and branch servers as part of a broader hardware refresh program.”

The Director of the SEC’s Enforcement Division, Gurbir S. Grewal, stated that Morgan Stanley’s failures in the case were “astonishing,” and that they had fallen “woefully short” in protecting the personal information of their customers. He further explained that if it is not “properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”

Morgan Stanley settled with the SEC despite not admitting or denying its findings. They will owe $35 million.