Securities and Exchange Commission (SEC) officials have detailed charges against Morgan Stanley Smith Barney LLC (MSSB), alleging the firm failed to protect customer personal identifying information (PII).
Per the SEC order, MSSB agreed to pay a $35 million penalty to settle the SEC charges addressing five years and involving approximately 15 million customers.
“MSSB’s failures in this case are astonishing,” SEC Enforcement Division Director Gurbir S. Grewal said. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so. If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”
Grewal said the SEC’s action sends a message to financial institutions that they must take their obligation to safeguard data seriously.
The SEC alleges as far back as 2015, MSSB failed to properly dispose of devices containing its customers’ PII. On multiple occasions, the company hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers.
Additionally, the SEC’s order maintains over several years, MSSB failed to properly monitor the moving company’s work and an SEC investigation determined the moving company sold to a third party thousands of MSSB devices that included servers and hard drives eventually resold on an internet auction site without removal of such customer PII.
According to the SEC, MSSB consented to the SEC’s order finding the firm violated the Safeguards and Disposal Rules under Regulation S-P, and agreed to pay the penalty without admitting or denying its findings.