Table of Contents
Morgan Stanley’s Settlement
In response to disclosure of consumer information due to poor data security practices, Morgan Stanley agreed to pay a $6.5 million fine to settle with six states. This negligent handling of data security led to the compromise of critical and personal customer data. Consequently, Morgan Stanley will have to take necessary steps to guarantee the protection of customer data to prevent similar breaches in the future.
Agreement on $6.5 million fine for data security negligence
The transition into the legal agreement was a ripple effect after an intensive investigation that revealed that Morgan Stanley had negligently put the personal data of millions of customers at risk. The company failed to completely erase unencrypted data when disposing of its computer devices, thus exposing its customers' data. Acknowledging this, Morgan Stanley agreed to the set fine of $6.5 million set by the attorney-general.
Finding from the Florida Attorney General’s Office on exposing personal information
According to the Florida Attorney General's Office, customer data was compromised due to Morgan Stanley's negligent internal security processes. These lapses in protocols led to two incidents; one involving the company hiring an inexperienced moving vendor, leading to unauthorized sale of computers with sensitive customer data, and another where 42 unencrypted servers went missing during a decommissioning process. These instances led to the exposure of potentially unencrypted data of customers. Furthermore, these mishaps exposed the lack of vendor controls and hardware inventory at Morgan Stanley, elements that if present could have averted these data-security incidents.
Details of the Negligence
Several instances of negligence led to Morgan Stanley's significant data security failure, which resulted in exposing customers' private information and subsequent hefty fine of $6.5 million. From improper disposal of hardware to inadequate monitoring of vendor activities, the neglect of the fundamentals of secure data handling led to this substantial security breach.
Improper Disposal of Hard Drives Containing Unencrypted Personal Information
An investigation into the company's practices discovered that when decommissioning its hardware, Morgan Stanley failed to thoroughly erase unencrypted personal data from thousands of hard drives. This unchecked disposal method heightened the risk of the data falling into the wrong hands.
Hiring an Inexperienced Moving Company for Data-Destruction Services
In another alarming oversight, Morgan Stanley enlisted the services of a moving company lacking experience in data destruction tasks. The company, therefore, didn't possess the necessary expertise to handle vital hardware containing sensitive customer information, further exacerbating the risk of data exposure.
Unmonitored Actions Leading to the Sale of Computer Equipment at Internet Auctions
Compounding the issue, the hired moving company sold the computer equipment in internet auctions without the knowledge of Morgan Stanley. This unauthorized sale of equipment put the sensitive and unencrypted customer data at risk of being accessed by unauthorized parties, representing a major failure in monitoring vendor activities.
Discovery of 42 Missing Servers During Another Decommissioning Process
In a separate incident, during another decommissioning process, Morgan Stanley discovered a whopping 42 missing servers potentially laden with unencrypted customer data. This oversight was due to a flaw in the encryption software. Lack of satisfactory measures to ensure data safety at the decommissioning stages of hardware further contributed to the company's negligence.
Consequences and Actions Required by the Settlement
The significant security failure led to a settlement with substantial costs for Morgan Stanley not only in terms of financial penalty but also in compliance requirements set forward to improve the company's data security practices to prevent such breaches in the future.
$6.5 Million Payment to Six States
As a direct financial outcome of the settlement due to the data security negligence, Morgan Stanley was required to pay $6.5 million to six states that include Florida, Connecticut, Indiana, New Jersey, New York, and Vermont.
Requirement to Improve Security of Personal Information
In addition to the monetary fine, the settlement came with requirements for better data security measures. Morgan Stanley was ordered to improve personal information security significantly. This obligation is crucial for preventing future cases like the present security breach as well as mitigating the risks imposed by any potential data threats.
Orders to Encrypt Data at Rest and in Transit
On a more granular level, the company has been ordered to implement stringent encryption protocols. Morgan Stanley is obligated to encrypt all personal information it holds, regardless of whether this data is at rest (stored) or in transit (being transmitted).
Implementation of a Data Collection, Use, Retention, and Disposal Policy
Guided by the orders from the settlement, Morgan Stanley must also implement a written policy that outlines how the company should handle customer data. This includes how it collects, uses, retains, and disposes of consumer personal information, ensuring maximum security along these stages.
Implementation of Tools to Track Hardware Containing Personal Information
Failure to have a robust inventory of hardware storing sensitive data was one of the key issues leading to the breach. Moving forward, Morgan Stanley is now required to use both manual processes and automated tools to track all hardware that contains personal information, thereby strengthening its data audit and control capabilities.
Maintenance of an Information Security Program, an Incident Response Plan, and a Vendor Risk Assessment Team
To bolster its overall information security management, Morgan Stanley must maintain a comprehensive information security program. The firm is also asked to support an incident response plan that documents incidents and actions taken regarding those incidents. In addition, a vendor risk assessment team should be established to ensure their vendors comply with data security requirements set by Morgan Stanley.
Other News
In addition to Morgan Stanley's significant settlement, there have been a variety of other developments in the cybersecurity landscape.
US States Announce $16M Settlement with Experian, T-Mobile Over Data Breaches
In another significant case, Experian and T-Mobile face a major settlement of $16 million with US states due to data breaches, marking a trend of severe financial penalties for companies that fail to protect consumer information adequately.
Yamaha Motor Confirms Data Breach Following Ransomware Attack
Moreover, Yamaha Motor has also been a victim of a significant data breach, this time due to a ransomware attack. The incident highlights the ever-growing threat of malware in jeopardizing company data security, necessitating stringent data protection measures across industries.
US Announces $70 Million Cybersecurity Boost for Rural, Municipal Utilities
In response to the rising wave of cyber threats, the US government has announced a substantial $70 million boost to cybersecurity measures specifically for rural and municipal utilities. This move underlines the government's recognition of the dire need for enhanced security measures across various sectors to counteract the increasing risk of cyberattacks.
