Morgan Stanley to pay $35 million fee for ‘astonishing’ customer data disposal practices

Morgan Stanley will pay a $35 million penalty to settle charges from the U.S. Securities and Exchange Commission for wide-ranging failures around properly disposing of hard drives and servers containing the personal information of some 15 million customers.

The company did not respond to requests for comment, but the SEC said in an order released Tuesday that the fines are centered around the privacy practices of its U.S. wealth management business — Morgan Stanley Smith Barney (MSSB).

According to the SEC, MSSB at times hired a moving and storage company “with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the personal identifying information of millions of its customers.”

The storage company then sold the servers to third-party buyers and others.

“Moreover, according to the SEC’s order, over several years, MSSB failed to properly monitor the moving company’s work,” the SEC said. 

“The staff’s investigation found that the moving company sold to a third party thousands of MSSB devices including servers and hard drives, some of which contained customer PII [Personal Identifiable Information], and which were eventually resold on an internet auction site without removal of such customer PII.”

In another instance, MSSB lost 42 servers that were thrown out when it shut down local offices or conducted hardware refresh programs. All of the servers “potentially” have unencrypted customer and consumer report information. 

MSSB later learned that the devices they disposed of had encryption software, which was never activated.

“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” said Gurbir Grewal, Director of the SEC’s Division of Enforcement. 

“If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”

The SEC said the failures spanned a five-year period starting in 2015.

The announcement notes that there were even more devices in the wild that MSSB managed to recover, . The company then discovered the devices contained “thousands of pieces of unencrypted customer data.”

But the “vast majority” of the devices have not been found, according to the SEC. 

The SEC allowed MSSB to settle charges by paying the $35 million penalty without admitting or denying its findings. The company did not respond to requests for comment.