Company fined millions for improper hard drive data removal
Morgan Stanley Smith Barney (MSSB) took a gamble to save a few dollars on IT asset disposition (ITAD) services. The result was a serious breach of the privacy requirements for some 15 million individuals and a settlement with the U.S. Securities and Exchange Commission (SEC) for $35 million.
The SEC concluded that since 2015, MSSB failed to properly dispose of IT equipment containing client information. MSSB hired a moving company with no experience or expertise in electronics recycling or data-destruction services to decommission thousands of hard drives and servers containing the information of millions of its customers.
Moreover, the moving company sold thousands of MSSB devices including servers and hard drives to a third party, some of which contained customers’ personally identifiable information (PII). From there, the equipment was resold on an internet auction site without removing the PII. The client information included account names and numbers (at Morgan Stanley and any linked bank accounts), Social Security number, passport number, contact information, date of birth, asset value and holdings data.
There is no statute of limitations or safe harbor for improperly discarded IT assets.
“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” said Gurbir S. Grewal, Director of the SEC’s Enforcement Division.
The Treasury Department already fined the company $60 million, and MSSB finalized a legal settlement obligating it to pay $68.2 million to protect customers whose personal information it can’t account for. So far, Morgan Stanley’s ITAD mistakes have cost the banking giant over $163 million.
Hires non-ITAD vendor to cut costs
According to the plaintiffs in a class action case, MSSB was trying to save money and terminated a contract with a long-standing vendor for the decommissioning, wiping and destruction of computer equipment. Rather than hiring another certified recycling company, MSSB decided to hire a moving company with no ITAD experience for a total savings of $100,000.
Within some of the 4,900 devices picked up by the moving company were hard drives holding unencrypted personal information from MSSB clients. At first, the data center devices were delivered to an e-scrap company, which tracked them in a database through the collection, wiping and resale processes. However, “no one at MSSB monitored the database,” according to the SEC.
The moving company stopped working with the e-scrap company and began selling the hard drives to another unapproved company. That unapproved company sold them to yet another company, which auctioned off the devices containing unencrypted customer information.
MSSB finally realized there was a problem when an individual bought one of those data-bearing hard drives on an e-commerce platform and contacted Morgan Stanley about what he had found.
Data destruction lessons to be learned
Even Fortune 100 companies can make electronics recycling and data destruction mistakes, especially when trying to cut corners. These ITAD issues started back in 2015, and Morgan Stanley may have hoped that the problem would just disappear over time, but it actually got worse.
“There is no statute of limitations or safe harbor for improperly discarded IT assets,” said a representative of the International Secure Information Governance & Management Association (i-SIGMA). “If a hard drive turns up five or 10 years down the road with personal information on it, it is still a data breach plain and simple.”
Banking and financial services companies typically require that all electronics recycling companies providing data destruction services be NAID AAA Certified. This would have assured that those hard drives would have been handled within compliance of all known data protection laws. Unfortunately for MSSB, the moving company they hired was not NAID AAA Certified.