OCC’s Enforcement Action
The OCC’s Consent Order against Morgan Stanley details two instances where the investment bank failed to provide proper oversight of customers’ data. The first instance occurred in 2016, while the bank was decommissioning two datacenters associated with its US wealth management operations. According to the order, the bank failed to properly oversee the contractors dismantling and disposing of the datacenters’ associated hardware. The contractors lost some equipment and sent other equipment to be recycled before wiping all customer data. Furthermore, the order states: “…the Bank, among other things, failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices. The Bank failed to exercise adequate due diligence in selecting the third party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance.” According to a lawsuit filed by affected customers, the data left on equipment included highly sensitive personally identifiable information. The data held social security numbers, names and addresses, as well as passport and bank account details. This is effectively all that cybercriminals would need to steal the bank’s current and former customers’ identities. Or to make fraudulent purchases. The second instance occurred in 2019. In this case, a similar issue arose during the decommissioning of network devices from a local branch.
Bank Fails to Understand Data’s Value
Even in this day and age, it seems the bank failed to understand the value of the enormous quantities of data it held. As stated by Mark Rasch, an attorney with the law firm Kohrman, Jackson & Krantz: “If this were a bank vault, they would understand.” A bank would never dream of decommissioning a vault without first making sure that it was empty. Nor would they trust a third-party to decommission it for them. There would have been many checks and balances involved in the whole decommissioning process. Richard Santalesa, a technology and data privacy attorney at SmartEdgeLaw Group, notes that the OCC fine would have made most top-level managers responsible for data privacy and security sit up and take note. “I know that if I were sitting in that C-seat, I’d immediately add a ‘data destruction/deletion review’ agenda item to my next department meeting,” he says. Which is likely the effect the OCC was aiming for when it imposed the $60 million fine on Morgan Stanley.
Morgan Stanley’s Response
According to the OCC’s consent order, Morgan Stanley notified potentially impacted customers of the 2016 incident at the OCC’s direction. However, the bank voluntarily notified potentially impacted customers of the 2019 incident. Furthermore, a Morgan Stanley spokesperson said they had found no evidence that any customer data had been misused. Nonetheless the bank has apparently introduced new security measures and are monitoring the situation. “… we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information,” the spokesperson explained in a statement. “Safeguarding our client’s information is of paramount importance.”