As many of you know, there have been a series of big data breaches recently—the BlueCross BlueShield data breach involving more than 1 million members’ subscriber information, the Anthem data breach that exposed more than 80 million patient and employee records, and the Army National Guard data breach caused by an improper handling of data transfer to a non-accredited data center by a contract employee, among others. With all these high-profile breaches, you’d think companies, especially big corporations, would have had a chance to review their system and close any loopholes. Or maybe not. On June 9, 2016, the Securities and Exchange Commission (“SEC”) issued an order against Morgan Stanley Smith Barney LLC (“Morgan Stanley”) in connection with the company’s failure to safeguard customer information.[1] The full text of the order is available here.
The SEC requires every broker-dealer and investment adviser registered with the agency to adopt written policies and procedures reasonably designed to protect confidential customer information and minimize the risks of any anticipated threats of data breach.[2] According to the SEC, however, Morgan Stanley failed to ensure the reasonable design and proper operation of its policies and procedures for two internal portals, allowing personally identifiable information (“PII”) of its customers to be misappropriated by a then-employee, Galen Marsh.[3] Specifically, the SEC says that Marsh, initially a sales assistant and subsequently a financial adviser, discovered a system glitch that let him access customer data outside of his purview. The SEC alleges that even though Marsh’s entitlements to access particular data were supposed to change when he was promoted, Morgan Stanley failed to make such an entitlement change and, thus, Marsh’s unauthorized accessing of confidential customer data continued, eventually reaching a total of approximately 4,000 unauthorized searches.
The SEC says that Marsh transferred the data to a personal server located at his home by accessing his personal website, which had a feature that enabled Marsh to transfer data from his work computer to his personal server. Although Morgan Stanley maintained certain technology controls that restricted employees from copying data onto removable storage devices and from accessing certain categories of websites, the SEC alleges that Morgan Stanley’s internet filtering software did not prevent employees from accessing such “uncategorized” websites from its computers. Subsequently, Morgan Stanley discovered through a routine Internet sweep that portions of the data downloaded by Marsh were posed to at least three Internet sites, purportedly for sale to a third party. According to the SEC, Morgan Stanley promptly took steps to remove this data from the Internet, notified law enforcement authorities, and identified Marsh as the likely source of the data breach, though subsequent forensic analysis of Marsh’s personal server revealed that a third party likely hacked into the server and copied the customer data.
The SEC maintains that Morgan Stanley’s policies and procedures were not reasonably designed to safeguard its customers’ PII and failed to address certain key administrative, technical, and physical safeguards, such as: reasonably designed and operating authorization modules for the portals to restrict employee access to only the confidential customer data as to which such employees had a legitimate business need; auditing and/or testing of the effectiveness of such authorization modules; and monitoring and analyzing of employee access to and use of the portals. According to the SEC, these are willful violations of the laws governing registered broker-dealers and investment advisers. The SEC ordered that Morgan Stanley be censured and pay a civil money penalty in the amount of $1 million.
Businesses that collect and maintain confidential customer data would be well advised to heed the recent data breach cases and either review the existing system or start thinking about building one in order to minimize risks of potential liability resulting from compromised customer data. As always, it is better to look ahead and prepare than to look back and regret.
If you have any questions about the content of this blog or any other securities or business law issues, please contact us.
If you have any suggestions for blog topics, please send them to [email protected].
This posting is intended to be a planning tool to familiarize readers with some of the high-level issues discussed herein. This is not meant to be a comprehensive discussion and additional details should be discussed with your transaction planners including attorneys, accountants, consultants, bankers and other business planners who can provide advice for your circumstances. This article should not be treated as legal advice to any person or entity.
Steps have been taken to verify the contents of this article prior to publication. However, readers should not, and may not, rely on this article. Please consult with counsel to verify all contents and do not rely solely on this article in planning your legal transactions.
[1] See generally SEC, Morgan Stanley Failed To Safeguard Customer Data (June 8, 2016), https://www.sec.gov/news/pressrelease/2016-112.html. See also In re Morgan Stanley Smith Barney LLC, SEC Administrative Proceeding, File No. 3-17280 (June 8, 2016).
[2] See generally In re Morgan Stanley Smith Barney LLC, SEC Administrative Proceeding, File No. 3-17280 (June 8, 2016). Unless otherwise noted, all references to the SEC allegations are from this citation.
[3] There is a separate proceeding against Galen Marsh. This blog will focus only on the proceeding against Morgan Stanley.