FTC Closing Letter Provides Good Data Security Reminder

Alysa Hutnik
Kelley Drye & Warren LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Last week, the FTC sent a closing letter to Morgan Stanley Smith Barney LLC (“Morgan  Stanley”) relating to the agency’s investigation over whether Morgan Stanley engaged in unfair or deceptive acts or practices by failing to secure certain account information related to its Wealth Management clients.

The investigation examined allegations that a Morgan Stanley employee misappropriated client information by transferring data from the Morgan Stanley computer network to a personal website accessed at work, and then onto other personal devices.  The exported data subsequently appeared on multiple Internet websites, causing the potential for misuse of the data.

The agency, however, decided to informally close the case without taking further action because Morgan Stanley had established and implemented comprehensive policies and access controls designed to protect against insider theft of personal information.  Despite having such policies and controls in place, the FTC found that certain controls applicable to a narrow set of client reports were improperly configured.  This allowed the employee to access and misappropriate the data.

The FTC’s initiation of this investigation (and subsequent decision to close the case) provides a few key takeaways for companies that would prefer not to face the FTC:

  • Employ reasonable and appropriate safeguards to protect against unauthorized misuse of all sensitive consumer information;
  • Establish and implement comprehensive policies designed to protect against employee theft of personal information;
  • Have controls in place to ensure that company employees and/or contractors have access to sensitive personal information only on a “need to know” basis;
  • Monitor the size and frequency of data transfers by employees;
  • Prohibit employee use of USB or other devices to exfiltrate data;
  • Block employee access to certain high-risk Web applications and websites; and
  • Train employees regularly in meaningful data security practices.

Implementing and maintaining data security is a never-ending challenge, prompting organizations to have programs in place to match the ever evolving tactics by cybercriminals and rogue employees.  The FTC closing letter provides a valuable lesson: While companies should implement and maintain policies, procedures, and controls to protect against outside threats, they should also consider and protect against data security threats arising much closer to home.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kelley Drye & Warren LLP | Attorney Advertising

Written by:

Kelley Drye & Warren LLP
Kelley Drye & Warren LLP
Contact
more
less

Kelley Drye & Warren LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide