- Morgan Stanley will pay a $35 million penalty to resolve allegations it failed to protect the personal identifying information (PII) of 15 million people, the Securities and Exchange Commission (SEC) said Tuesday.
- The bank, over a five-year period starting in 2015, hired a moving and storage company with no experience in data destruction to decommission thousands of hard drives and servers but failed to monitor the company’s work, the SEC said. The moving company sold the devices to a third party, which auctioned them online with some unencrypted data intact.
- Morgan Stanley recovered some of the devices, but not “the vast majority,” the SEC said.
This is hardly the first time Morgan Stanley has been ordered to pay up for customer data exposure. The Office of the Comptroller of the Currency (OCC) fined the bank $60 million in October 2020 for failing to oversee the decommissioning of two data centers connected to its wealth management business. Morgan Stanley had hired a third-party vendor to wipe data from servers and hardware, but PII remained on it after it was sold to a recycler.
The bank in December agreed to settle a class-action suit for $60 million to resolve claims it compromised the PII of 15 million current and former clients. Plaintiffs alleged that a software flaw left data on the old servers in unencrypted form, and some went missing.
Gurbir Grewal, director of the SEC’s enforcement division, called Morgan Stanley’s failures “astonishing.”
“Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and [Morgan Stanley] fell woefully short,” Grewal said Tuesday. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”
A Morgan Stanley spokesperson told Banking Dive the bank was pleased to resolve the issue.
“We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” the spokesperson said.
Morgan Stanley neither admitted nor denied the SEC’s findings.
The regulator’s order also found that Morgan Stanley failed to properly safeguard PII and dispose of consumer report information when it decommissioned office and branch servers as part of a hardware refresh. Forty-two servers, all potentially with unencrypted PII or report information, were unaccounted for. What’s more, those devices had been equipped with encryption capability, but the company never activated it.
Tuesday’s penalty marks a considerable uptick in the going rate for a record-keeping violation with the SEC. Morgan Stanley’s wealth management business agreed to pay the regulator $1 million in 2016 for a similar offense, the Financial Times reported. The SEC last year handed fines of $300,000 or less to three smaller financial-advisory companies accused of similar violations, according to The Wall Street Journal.