The Federal Trade Commission offered industry some lessons in data security by way of a letter to Morgan Stanley Smith Barney LLC that closed an investigation into possible privacy violations at the company.
"[D]ata security is an ongoing process," Maneesha Mithal, associate director of the FTC's Division of Privacy and Identity Protection, wrote to Morgan Stanley's counsel. "As risks, technologies, and circumstances change over time, companies must adjust security practices accordingly."
Allegations that a Morgan Stanley employee misappropriated information about wealth management clients triggered the investigation. The employee purportedly transferred data from the company's computer network to a personal website that he accessed at work and then onto his personal devices. Clients were exposed to potential harm because the data appeared on multiple websites, the FTC said.
But the agency decided to close the investigation instead of moving forward with an enforcement action based on Morgan Stanley's preexisting policies, which were designed to protect against the insider theft of information, and its prompt response when it discovered that a set of controls was improperly configured, Mithal explained.
"Morgan Stanley had established and implemented comprehensive policies designed to protect against inside theft of personal information," the letter stated. "For example, the company established and implemented a policy allowing employees to access only the personal data for which they had a business need, monitored the size and frequency of data transfers by employees, prohibited employee use of USB or other devices to ex-filtrate data, and blocked employee access to certain high-risk Web applications and websites."
The employee at issue gained access to client data despite the controls only because "the access controls applicable to a narrow set of reports were improperly configured," the FTC said. "However, Morgan Stanley promptly fixed the problem when it came to the company's attention."
Emphasizing that data security is not a static, unchanging task for a business, the FTC reminded Morgan Stanley—and other businesses—to stay on top of the issue. "As employees increasingly use personal websites and a host of online applications, companies should deploy appropriate controls to address the potential risks of broad access to such resources on work devices," Mithal concluded. "We hope and expect that all companies that handle sensitive consumer information will employ reasonable and appropriate safeguards to protect against unauthorized misuse of such data."
To read the FTC's letter closing the investigation, click here.
Why it Matters: In a blog post discussing the Morgan Stanley investigation, the agency said the incident provided three lessons for businesses that handle sensitive consumer information: prevention efforts—such as monitoring the size and frequency of data transfers by employees—are key, as are limiting access to confidential material and adjusting data security practices in light of changing technologies and current risks.