By Emmanuel Nduka
A unit of Morgan Stanley has agreed to pay $35 million to settle Securities and Exchange Commission (SEC) charges after it failed to safeguard personal information for millions of customers, the regulator said Tuesday.
The SEC said that for five years, Morgan Stanley Smith Barney failed to protect personal identifying information for 15 million customers. The firm agreed to pay the fine without admitting or denying its findings.
In 2015, the firm failed to properly dispose of devices containing sensitive information, including repeatedly hiring a moving and storage company with no proper expertise to decommission thousands of hard drives and servers, the SEC said. Those devices wound up being sold to a third party and ultimately auctioned online with the personal information intact and unencrypted. Only a portion of those devices were recovered, according to the regulator.
The commission also said the firm lost track of 42 servers containing personal information when it was undergoing a hardware refresh program, and failed to activate existing encryption software on those devices for years beforehand.
“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” said Gurbir Grewal, the SEC’s enforcement director.
A Morgan Stanley spokesperson in a statement on monday, said the firm was pleased to resolve the matter, and had previously notified affected clients of the issues. The firm also said it has not detected any unauthorized access or misuse of personal information.