Is Your Stockbroker Keeping Your Personal Data Safe?

While it may be difficult to verify first-hand how secure your stockbroker keeps your personal information, a recent order from the Securities and Exchange Commission (SEC) shows that even the largest stockbrokers are prone to customer data breaches.

On September 20, 2022, the SEC fined financial services giant Morgan Stanley Smith Barney (“MSSB”) $35 million for failing to adequately protect its customer’s records and personal identifying information (“PII”). [1] The fine was entered via a settlement between the SEC and MSSB, through which MSSB has agreed to pay a civil penalty for the SEC’s charges without admitting to nor denying the violations. [2]

MSSB is a subsidiary of Morgan Stanley and focuses on wealth management services for clients ranging from individuals to large corporations. [3] More specifically, MSSB is the broker-dealer designation for the group more commonly known as Morgan Stanley Wealth Management.  [3] During the second quarter of 2022, Morgan Stanley Wealth Management recorded $5.7 billion in net revenues. [4]

Through its order, the SEC alleged that MSSB engaged in two separate violations of federal securities laws. First, the order alleged that MSSB willfully violated the Safeguards Rule, a federal regulation which requires broker-dealers to adopt written policies and procedures regarding safeguards for the protection of customer data. [1]

Second, the order alleged MSSB’s willful violation of the Disposal Rule, a federal regulation requiring broker-dealers which possess consumer data to “take reasonable measures to protect against unauthorized access to, or use of, the information in connection with its disposal.” [1]

MSSB’s alleged violations occurred in connection with its effort in 2016 to decommission two data centers (the “2016 Data Center Decommissioning”). [1] To accomplish the decommissioning process, MSSB contracted with one approved vendor, referred to as “Moving Company,” to “pick-up, transport and decommission” devices from the MSSB data centers. [1] While Moving Company was one of MSSB’s approved vendors, MSSB never approved any sub-vendors for the decommissioning process. [1]

Despite this fact, Moving Company worked jointly over the course of the decommissioning process with two separate, unapproved sub-vendors – “IT Corp A” and “IT Corp B.” [1] Initially, Moving Company collected devices from the data centers and delivered them to IT Corp A. IT Corp A would either complete the required data-wiping processes and resell the devices, or destroy the devices altogether. [1] Inventories were kept, and MSSB received information about the wiped and destroyed devices from Moving Company. [1]

Not long after the decommissioning began, however, Moving Company ceased working with IT Corp A in favor of IT Corp B. Per the SEC’s findings, Moving Company sold the MSSB devices to IT Corp B under the guise that the devices had already been wiped of any MSSB data. In reality, the devices had not been wiped, yet IT Corp B gained possession of the devices and began selling them to downstream customers. [1]

MSSB became aware of this data breach when an IT consultant from Oklahoma emailed MSSB to inform them that it had purchased hard drives via an online auction, and that the hard drives contained accessible MSSB customer data. [1]

In all, the SEC’s order seeks to hold MSSB accountable for its failure to properly safeguard the sensitive data its customers entrust it with. Per the SEC’s findings, MSSB failed to adequately vet the data wiping and destruction processes of its approved vendor, Moving Company, and further failed to maintain its own internal policies and procedures to ensure customer data is disposed of properly. [1]

This situation serves as a cautionary tale. While MSSB contends that it has received no reports of customer data being misused as a result of this breach, the company still clearly has room for improvement in maintaining the security of its customer data. No matter the size of the broker, investors should be wary of the safety of their personal data.

Have concerns about a breach of your personal data? Reach out to one of the trusted attorneys at Savage-Villoch Law for a consultation.

Sources:

[1] https://www.sec.gov/litigation/admin/2022/34-95832.pdf

[2] https://www.sec.gov/news/press-release/2022-168

[3] https://www.morganstanley.com/content/dam/msdotcom/en/about-us-ir/shareholder/2q2022.pdf

 

 

Contact Information