Morgan Stanley Smith Barney LLC has agreed to pay $1 million to settle U.S. Securities and Exchange Commission charges that it failed to protect customer information.  In an Order issued today, Morgan Stanley agreed to settle charges – without admitting or denying them – that a former employee accessed and transferred data regarding 73,000 accounts to his personal server.  The SEC Order states that the former employee’s server was hacked by a third-party and that some of the customer information was offered for sale online.

The SEC’s Order found that Morgan Stanley violated the Safeguards Rule, Rule 30(a) of Regulation S-P, which requires investment advisers and broker dealers to adopt written policies and procedures reasonably designed to protect customer records and information.

Andrew Ceresney, the SEC’s Director of Enforcement, said in a press release that “data security is a critically important aspect of investor protection.  We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”