Morgan Stanley Fined $60m Over Data Disposal
American multinational investment bank and financial services company Morgan Stanley has been fined $60m for improperly disposing of personal data.
The substantial fine was imposed on Morgan Stanley Bank, N.A., and Morgan Stanley Private Bank, N.A. by the US Office of the Comptroller of Currency (OCC), which discovered deficiencies in the banks' data decommissioning practices.
The federal banking agency found that in 2016, the banks "failed to exercise proper oversight of the decommissioning of two Wealth Management business data centers located in the United States."
Among the issues flagged by the OCC were inadequate risk assessment and monitoring of third-party vendors and a failure to keep track of customer information.
A consent order for the assessment of a civil money penalty states that the banks "failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices."
Morgan Stanley, which is headquartered in New York City, was also found to have failed to exercise adequate due diligence in selecting the third-party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance.
Three years on from the decommissioning of the two data centers, the OCC found data disposal at the banks was still not as it should be.
"In 2019, the banks experienced similar vendor management control deficiencies in connection with decommissioning other network devices that also stored customer data," stated the comptroller.
Morgan Stanley, at the OCC’s direction, notified potentially impacted customers of the 2016 incident, and voluntarily notified potentially impacted customers of the 2019 incident. The bank has undertaken initial corrective actions, and the OCC states that it "is committed to taking all necessary and appropriate steps to remedy the deficiencies."
The OCC found the noted deficiencies constitute "unsafe or unsound practices" and resulted in noncompliance with 12 CFR Part 30, Appendix B, "Interagency Guidelines Establishing Information Security Standards."
The $60m civil money penalty will be paid to the United States Treasury.