Is Your Stockbroker Keeping Your Personal Data Safe?

Savage Villoch Law, PLLC

While it may be difficult to verify first-hand how secure your stockbroker keeps your personal information, a recent order from the Securities and Exchange Commission (SEC) shows that even the largest stockbrokers are prone to customer data breaches.

On September 20, 2022, the SEC fined financial services giant Morgan Stanley Smith Barney (“MSSB”) $35 million for failing to adequately protect its customer’s records and personal identifying information (“PII”). [1] The fine was entered via a settlement between the SEC and MSSB, through which MSSB has agreed to pay a civil penalty for the SEC’s charges without admitting to nor denying the violations. [2]

MSSB is a subsidiary of Morgan Stanley and focuses on wealth management services for clients ranging from individuals to large corporations. [3] More specifically, MSSB is the broker-dealer designation for the group more commonly known as Morgan Stanley Wealth Management. [3] During the second quarter of 2022, Morgan Stanley Wealth Management recorded $5.7 billion in net revenues. [4]

Through its order, the SEC alleged that MSSB engaged in two separate violations of federal securities laws. First, the order alleged that MSSB willfully violated the Safeguards Rule, a federal regulation which requires broker-dealers to adopt written policies and procedures regarding safeguards for the protection of customer data. [1]

Second, the order alleged MSSB’s willful violation of the Disposal Rule, a federal regulation requiring broker-dealers which possess consumer data to “take reasonable measures to protect against unauthorized access to, or use of, the information in connection with its disposal.” [1]

MSSB’s alleged violations occurred in connection with its effort in 2016 to decommission two data centers (the “2016 Data Center Decommissioning”). [1] To accomplish the decommissioning process, MSSB contracted with one approved vendor, referred to as “Moving Company,” to “pick-up, transport and decommission” devices from the MSSB data centers. [1] While Moving Company was one of MSSB’s approved vendors, MSSB never approved any sub-vendors for the decommissioning process. [1]

Despite this fact, Moving Company worked jointly over the course of the decommissioning process with two separate, unapproved sub-vendors – “IT Corp A” and “IT Corp B.” [1] Initially, Moving Company collected devices from the data centers and delivered them to IT Corp A. IT Corp A would either complete the required data-wiping processes and resell the devices, or destroy the devices altogether. [1] Inventories were kept, and MSSB received information about the wiped and destroyed devices from Moving Company. [1]

Not long after the decommissioning began, however, Moving Company ceased working with IT Corp A in favor of IT Corp B. Per the SEC’s findings, Moving Company sold the MSSB devices to IT Corp B under the guise that the devices had already been wiped of any MSSB data. In reality, the devices had not been wiped, yet IT Corp B gained possession of the devices and began selling them to downstream customers. [1]

MSSB became aware of this data breach when an IT consultant from Oklahoma emailed MSSB to inform them that it had purchased hard drives via an online auction, and that the hard drives contained accessible MSSB customer data. [1]

In all, the SEC’s order seeks to hold MSSB accountable for its failure to properly safeguard the sensitive data its customers entrust it with. Per the SEC’s findings, MSSB failed to adequately vet the data wiping and destruction processes of its approved vendor, Moving Company, and further failed to maintain its own internal policies and procedures to ensure customer data is disposed of properly. [1]

This situation serves as a cautionary tale. While MSSB contends that it has received no reports of customer data being misused as a result of this breach, the company still clearly has room for improvement in maintaining the security of its customer data. No matter the size of the broker, investors should be wary of the safety of their personal data.

Have concerns about a breach of your personal data? Reach out to one of the trusted attorneys at Savage-Villoch Law for a consultation.

Sources:

[1] https://www.sec.gov/litigation/admin/2022/34-95832.pdf

[2] https://www.sec.gov/news/press-release/2022-168

[3] https://www.morganstanley.com/content/dam/msdotcom/en/about-us-ir/shareholder/2q2022.pdf

Client Reviews

I am deeply grateful for the superb representation I received from Robert (Bert) Savage, at Savage Villoch Law representing me in my complex investment loss claim. Bert and the legal team at Savage Villoch Law were consistent and persistent from the start, understanding and pursuing my case and...

L. Nathan

Alfred Villoch is a very versatile individual. He's helped me in several parts of the law and was able to leverage his experience multiple times whether with corporate law or insurance. He takes the extra steps needed to not only ensure an iron clad proposal is offered but sees the value as a...

Simon

Over the years I have come to rely on the expertise of Robert "Bert" Savage in the most important matters concerning my business and my non profit organization. His knowledge and guidance has allowed me to take a more successful path than I would've chosen without him. He takes a genuine interest in...

Bob

If ever I have a legal question impacting my affairs I know I can turn to Alfred as a dependable resource. Accessing his high levels of varied expertise ensures I make decisions that shall contribute to favorable outcomes. He's extremely responsive and thoughtful in his advice, and is always...

Joy

Bert Savage has been a great help to myself and my company. He has demonstrated that he is very knowledgeable and effective, and seems to achieve a lot with the hours he bills. We are quite satisfied with his services and intend to continue our relationship with him. Highly recommended for any of...

William

Contact Us

  1. 1 Free Case Study
  2. 2 Over 40 Years of Combined Experience
  3. 3 No Fees Unless You Win

Fill out the contact form or call us at 813-200-0013 to schedule your free consultation.

Leave Us a Message