SEC Fines Morgan Stanley for Data “Breach”

James Vorhis
Nossaman LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Last week, the SEC fined Morgan Stanley $1 million for two data security failures resulting in the exposure of personal information of 730,000 of its customers. Andrew Ceresney, the director of enforcement at the SEC stated, “Given the dangers and impact of cyberbreaches, data security is a critically important aspect of investor protection…we expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.” But this wasn’t your typical data breach situation, and it is an important lesson for companies.

That data “breach” occurred when a former employee downloaded customer records, which were then hacked and posted on-line. That former employee has been suspended by the SEC, but it was the fine of Morgan Stanley that is the real story because this wasn’t a breach of the company’s defenses.

The SEC’s fine was based on two control failures.

First, the SEC asserted that Morgan Stanley failed to monitor its employees from accessing the records of customers where they were not authorized to do so. While there were some controls in place to prevent such actions in its internal data portals, a glitch permitted Morgan Stanley employees to access all customer records through a certain type of report.

Second, while the company had a control in place to prevent the use of thumb drives to download customer records, there was no corresponding control for uploading records on-line. Combined, those holes allowed one employee to access customer records and upload them to the internet.

This is an important lesson for companies because unlike most breaches we hear about in the news, this was not a hack of the company itself. Morgan Stanley is being fined for its employee’s bad acts.  Would the SEC fine Morgan Stanley if one of its employees printed customer records and then left them in a briefcase on a subway train? Perhaps.

The takeaway for companies is that they may be liable for cyber theft even where its own external defenses are in good shape and have not been breached. Time to brush up the internal policies and protocols.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nossaman LLP | Attorney Advertising

Written by:

Nossaman LLP
Nossaman LLP
Contact
more
less

Nossaman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide