On September 20, 2022, the SEC fined financial services giant Morgan Stanley Smith Barney (“MSSB”) $35 million for failing to adequately protect its customer’s records and personal identifying information (“PII”). [1] The fine was entered via a settlement between the SEC and MSSB, through which MSSB has agreed to pay a civil penalty for the SEC’s charges without admitting to nor denying the violations. [2]

MSSB is a subsidiary of Morgan Stanley and focuses on wealth management services for clients ranging from individuals to large corporations. [3] More specifically, MSSB is the broker-dealer designation for the group more commonly known as Morgan Stanley Wealth Management. [3] During the second quarter of 2022, Morgan Stanley Wealth Management recorded $5.7 billion in net revenues. [4]

Through its order, the SEC alleged that MSSB engaged in two separate violations of federal securities laws. First, the order alleged that MSSB willfully violated the Safeguards Rule, a federal regulation which requires broker-dealers to adopt written policies and procedures regarding safeguards for the protection of customer data. [1]

Second, the order alleged MSSB’s willful violation of the Disposal Rule, a federal regulation requiring broker-dealers which possess consumer data to “take reasonable measures to protect against unauthorized access to, or use of, the information in connection with its disposal.” [1]

MSSB’s alleged violations occurred in connection with its effort in 2016 to decommission two data centers (the “2016 Data Center Decommissioning”). [1] To accomplish the decommissioning process, MSSB contracted with one approved vendor, referred to as “Moving Company,” to “pick-up, transport and decommission” devices from the MSSB data centers. [1] While Moving Company was one of MSSB’s approved vendors, MSSB never approved any sub-vendors for the decommissioning process. [1]

Despite this fact, Moving Company worked jointly over the course of the decommissioning process with two separate, unapproved sub-vendors – “IT Corp A” and “IT Corp B.” [1] Initially, Moving Company collected devices from the data centers and delivered them to IT Corp A. IT Corp A would either complete the required data-wiping processes and resell the devices, or destroy the devices altogether. [1] Inventories were kept, and MSSB received information about the wiped and destroyed devices from Moving Company. [1]

Not long after the decommissioning began, however, Moving Company ceased working with IT Corp A in favor of IT Corp B. Per the SEC’s findings, Moving Company sold the MSSB devices to IT Corp B under the guise that the devices had already been wiped of any MSSB data. In reality, the devices had not been wiped, yet IT Corp B gained possession of the devices and began selling them to downstream customers. [1]

MSSB became aware of this data breach when an IT consultant from Oklahoma emailed MSSB to inform them that it had purchased hard drives via an online auction, and that the hard drives contained accessible MSSB customer data. [1]

In all, the SEC’s order seeks to hold MSSB accountable for its failure to properly safeguard the sensitive data its customers entrust it with. Per the SEC’s findings, MSSB failed to adequately vet the data wiping and destruction processes of its approved vendor, Moving Company, and further failed to maintain its own internal policies and procedures to ensure customer data is disposed of properly. [1]

This situation serves as a cautionary tale. While MSSB contends that it has received no reports of customer data being misused as a result of this breach, the company still clearly has room for improvement in maintaining the security of its customer data. No matter the size of the broker, investors should be wary of the safety of their personal data.

Have concerns about a breach of your personal data? Reach out to one of the trusted attorneys at Savage-Villoch Law for a consultation.

Sources:

[1] https://www.sec.gov/litigation/admin/2022/34-95832.pdf

[2] https://www.sec.gov/news/press-release/2022-168

[3] https://www.morganstanley.com/content/dam/msdotcom/en/about-us-ir/shareholder/2q2022.pdf

The SEC’s order concerns a period of time from 2016 through 2019, during which the SEC alleged that respondents made material misrepresentations and omissions about their oil and gas securities offerings. [1] The order states that neither Powell nor Toth were registered nor even associated with a registered broker-dealer during the relevant time period as they sold unregistered securities to investors. [2]

RCP is described as a private equity firm that “gives smart investors access to beyond-Wall Street assets, such as oil and gas wells” by creating, and then offering, oil and gas debt and equity investment vehicles for oil and gas wells. [2] In so doing, RCP relies on Homebound to identify and purchase these oil and gas wells. [2] During the relevant time period, Thomas Powell owned RCP while Stefan Toth owned and managed Homebound. [2]

Some of the several material misrepresentations and omissions highlighted in the SEC’s order include:

• Circulating offerings materials which falsely stated that respondent’s oil and gas securities were sold by FINRA-member broker-dealers who were registered with the SEC.
• Publishing “one-pager” documents for investors that contained “insufficiently supported oil well production projections.” These projections did not vary by region and projected that three separate wells would produce 510 barrels/day while actual production at these wells landed at only 3-5 barrels/day.
• Failing to take reasonable steps to ensure that investors were accredited, resulting in the sale of unregistered securities to approximately 200 non-accredited investors
• Misleading retirement account investors by advertising the potential tax benefits of oil & gas investments without stating that these benefits were not available to retirement account investors. [2]

Although Powell and Toth neither admitted to nor denied the charges, they have each agreed to pay a civil penalty of $75,000. Homebound and RCP have each agreed to pay a civil penalty of $225,000. The respondents also face several other consequences as part of the settlement, including a two-year prohibition on participating in any unregistered oil and gas related offerings, and a requirement that the SEC’s order be linked on all of their websites for the next three years.

Respondents must also hire an “Independent Compliance Consultant” at their own expense to review their policies and procedures as they relate to federal securities law, as well as to certify that respondents are indeed in compliance with said policies and procedures prior to any offering of securities. [2]

These punitive measures are designed with investor protection and the public interest in mind, as the SEC aims to reduce the instance of similar violations not only by respondents, but also by other equity firms and broker-dealers in the United States. The order also serves as an important reminder for investors to partner closely with trusted professionals in making informed investment decisions, especially in a volatile market like oil and gas.

Sources: [1] https://www.sec.gov/news/press-release/2021-193?utm_medium=email&utm_source=govdelivery [2] https://www.sec.gov/litigation/admin/2021/33-10987.pdf