SEC Fines Morgan Stanley $1 Million for Failing to Protect Customer Information | Practical Law

SEC Fines Morgan Stanley $1 Million for Failing to Protect Customer Information | Practical Law

Morgan Stanley Smith Barney LLC has agreed to pay a $1 million fine to the SEC for failing to adopt written policies and procedures reasonably designed to protect customer information.

SEC Fines Morgan Stanley $1 Million for Failing to Protect Customer Information

Practical Law Legal Update w-002-5763 (Approx. 3 pages)

SEC Fines Morgan Stanley $1 Million for Failing to Protect Customer Information

by Practical Law Intellectual Property & Technology
Published on 09 Jun 2016USA (National/Federal)
Morgan Stanley Smith Barney LLC has agreed to pay a $1 million fine to the SEC for failing to adopt written policies and procedures reasonably designed to protect customer information.
On June 8, 2016, the SEC announced an order under which financial firm Morgan Stanley Smith Barney LLC has agreed to pay a $1 million fine to settle charges that it failed to adopt written policies and procedures reasonably designed to protect customer information. The company did not admit or deny wrongdoing.
Between 2011 and 2014, a then-employee of Morgan Stanley impermissibly accessed and transferred the data for approximately 730,000 customer accounts to his personal server. The employee's server was later hacked by third parties, which likely resulted in confidential data being posted and offered for sale on the internet.
The SEC found that the data transfer was a result of Morgan Stanley's failure to protect customer data, in violation of Rule 30(a) of Regulation S-P, the "Safeguards Rule" (17 C.F.R. § 248.30(a)). Specifically, the SEC found that:
  • Morgan Stanley had adopted written policies, procedures, and technical controls to protect customer information.
  • However, the company failed to reasonably implement and monitor its controls on two internal portals that allowed employees to access customer data. For example, Morgan Stanley did not:
    • restrict employee access to data available through the portals based on legitimate business needs, such as limiting access to only those customers that employees support;
    • audit or test its authorization processes; or
    • monitor or analyze employees' access to and use of the portals.
The SEC's action serves as a reminder that in addition to adopting written policies and procedures, companies must:
  • Routinely test and monitor their privacy and data security controls to identify risks and close any identified gaps.
  • Recognize that privacy and data security risks may come from internal as well as external sources.