The SEC action said that the improper disposal of thousands of hard drives starting in 2016 was part of an “extensive failure” over a five-year period to safeguard customers’ data as required by federal regulations. The agency said that the failures also included the improper disposal of hard drives and backup tapes when decommissioning servers in local branches. In all, the SEC said data for 15 million customers was exposed.
Apparently, the case made SEC blink with "astonishment" although we tend to find that people who use the word "astonishing" are easily confounded and it does seem rather a long time to sort the case out if it was that astonishing.
Director of the SEC’s enforcement division Gurbir Grewal said: “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.”
Much of the failure stemmed from the 2016 hire of a moving company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the data of millions of customers. The moving company received 53 RAID arrays that collectively contained roughly 1,000 hard drives, and it also removed about 8,000 backup tapes from one of the Morgan Stanley data centers.
The moving company initially contracted with an IT specialist to wipe or destroy any sensitive data stored on the drives. Eventually, the moving company stopped working with that specialist and began selling the storage devices to a company that in turn sold them at auction. The new company was never vetted by Morgan Stanley or approved as a contractor or subcontractor in the decommissioning project.
In 2017, more than a year after the data center's decommissioning, Morgan Stanley officials received an email from an IT consultant in Oklahoma, informing them that hard drives he purchased from an online auction site contained Morgan Stanley data.
The SEC action also said that many of the storage devices didn’t have encryption turned on, though the option existed. Even after the investment firm began using encryption options in 2018, only new data written to the disks was protected. In some cases, data still wasn’t properly encrypted because of a flaw in an unidentified vendor’s product.
Without admitting or denying the SEC claims, Morgan Stanley agreed to Tuesday’s finding that it violated the Safeguards and Disposal Rules under Regulation S-P and agreed to pay the $35 million to make the case go away.
In a statement, Morgan Stanley officials wrote, “We are pleased to be resolving this matter. We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorised access to, or misuse of, personal client information.”