Morgan Stanley Smith Barney (MSSB) has been fined $35 million for failing to safeguard the personal identifying information (PII) of approximately 15 million customers.
The Securities and Exchange Commission (SEC) charged the wealth management firm with “extensive failures” over a five-year period. According to the SEC, MSSB neglected to properly dispose of devices containing customer PII as far back as 2015. The firm repeatedly contracted a moving and storage company lacking the necessary expertise in data destruction to decommission thousands of hard drives and servers that held sensitive customer information.
Additionally, MSSB did not adequately monitor the work of the moving company. The investigation revealed that the company sold thousands of MSSB devices, including servers and hard drives containing PII, to a third party, which then resold them on an internet auction site without removing the customer data.
While MSSB managed to recover some devices, which were found to contain thousands of pieces of unencrypted customer information, the majority remain unaccounted for.
Gurbir Grewal, the director of the SEC’s enforcement division, remarked, “MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.”
MSSB has agreed to pay the $35 million penalty without admitting or denying the SEC’s findings.