Last week, the FTC sent a closing letter to Morgan Stanley Smith Barney LLC (“Morgan  Stanley”) relating to the agency’s investigation over whether Morgan Stanley engaged in unfair or deceptive acts or practices by failing to secure certain account information related to its Wealth Management clients.

The investigation examined allegations that a Morgan Stanley employee misappropriated client information by transferring data from the Morgan Stanley computer network to a personal website accessed at work, and then onto other personal devices.  The exported data subsequently appeared on multiple Internet websites, causing the potential for misuse of the data.

The agency, however, decided to informally close the case without taking further action because Morgan Stanley had established and implemented comprehensive policies and access controls designed to protect against insider theft of personal information.  Despite having such policies and controls in place, the FTC found that certain controls applicable to a narrow set of client reports were improperly configured.  This allowed the employee to access and misappropriate the data.

The FTC’s initiation of this investigation (and subsequent decision to close the case) provides a few key takeaways for companies that would prefer not to face the FTC:

  • Employ reasonable and appropriate safeguards to protect against unauthorized misuse of all sensitive consumer information;
  • Establish and implement comprehensive policies designed to protect against employee theft of personal information;
  • Have controls in place to ensure that company employees and/or contractors have access to sensitive personal information only on a “need to know” basis;
  • Monitor the size and frequency of data transfers by employees;
  • Prohibit employee use of USB or other devices to exfiltrate data;
  • Block employee access to certain high-risk Web applications and websites; and
  • Train employees regularly in meaningful data security practices.

Implementing and maintaining data security is a never-ending challenge, prompting organizations to have programs in place to match the ever evolving tactics by cybercriminals and rogue employees.  The FTC closing letter provides a valuable lesson: While companies should implement and maintain policies, procedures, and controls to protect against outside threats, they should also consider and protect against data security threats arising much closer to home.