top of page

Morgan Stanley unit fined $35 million for improper handling of client data

To resolve Securities and Exchange Commission (SEC) claims that it consistently ignored the safety of clients' personal data, Morgan Stanley Smith Barney (MSSB) agreed to pay $35 million.

The company failed to adequately secure the personally identifiable information of around 15 million MSSB customers during a five-year period beginning in 2015, according to the SEC, which stated in a news statement Tuesday. Morgan Stanley's fully owned subsidiary is called MSSB.

According to the SEC, the issue started when MSSB failed to encrypt consumer personal information kept on computer servers and hard drives. According to the agency, the company deactivated two data centers in 2016 and failed to properly get rid of its computer servers and hard drives.

In settling, MSSB did not confirm or refute the SEC's conclusions. As part of the agency's order, the company consented to be criticized.

The SEC stated that MSSB should have employed data specialists to remove any susceptible data from the devices it intended to decommission. Instead, the agency claimed in its order, the firm engaged a moving and storage company without any data experience to "remove, destroy, or delete" data from servers and hard drives that held thousands of pieces of personal data.

To remove data from the servers, the moving business first hired an IT firm. The SEC claims that after that, it discontinued dealing with that IT firm and hired a another one that had never been examined or approved by MSSB. The second IT firm that the moving business hired was never instructed to delete the material.

According to the SEC, some of the 4,900 servers and hard drives the moving firm sold still had the personal information of their clients on them and were put up for sale online.

MSSB apparently became aware of the problem in 2017 after receiving an email from an IT expert in Oklahoma who claimed to have bought hard disks containing the company's data online.

The SEC said that while MSSB was able to retrieve some of the sold devices, not all of them were.

Throughout the process, the moving business charged MSSB for operations that included erasing data from servers. The SEC claimed that the company just paid the bills without thoroughly reviewing the work and invoices.

Similar to this, the SEC claimed that MSSB misplaced 42 computer servers from regional offices and branches in 2019 when the business switched to new hardware. The SEC said that while the business had encryption software installed on the servers that held the client data, it was not used.

According to the SEC, the company had no documented protocols in place for properly getting rid of computer equipment that contained client data.

The agency claimed that MSSB intentionally disregarded the Safeguards and Disposal Rules of Regulation S-P.

Director of the SEC's Enforcement Division Gurbir Grewal stated in a statement that "MSSB's failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so."

The action taken today, according to Grewal, "sends a clear message to financial institutions that they must take sseriously their obligation to safeguard such data."

In an email statement, a corporate representative stated, "We are pleased to be resolving this matter. We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information."

In December 2021, Morgan Stanley and about a dozen clients reached an agreement to create a $60 million trust fund as part of a class-action lawsuit settlement addressing the personal information that was exposed when the bank shut down its two wealth management centers. For failing to keep a proper inventory of the client data held on the retired hardware, Morgan Stanley was assessed a $60 million fine by the Office of the Comptroller of the Currency in October 2020.



bottom of page