As far back as 2015, MSSB failed to properly dispose of devices containing its customers’ PII, says the SEC. On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the information of millions of its customers.
Moreover, over several years, the firm failed to properly monitor the moving company’s work. The regulator’s investigation found that the moving company sold to a third party thousands of MSSB devices including servers and hard drives, some of which contained customer PII, and which were eventually resold on an internet auction site without removal of such customer PII.
While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices.
“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” says Gurbir Grewal, director of the SEC’s enforcement division.
Without admitting or denying the findings, MSSB has consented to the SEC’s order and agreed to pay the $35 million penalty.