Last week, the SEC fined Morgan Stanley $1 million for two data security failures resulting in the exposure of personal information of 730,000 of its customers. Andrew Ceresney, the director of enforcement at the SEC stated, “Given the dangers and impact of cyberbreaches, data security is a critically important aspect of investor protection…we expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.” But this wasn’t your typical data breach situation, and it is an important lesson for companies.
That data “breach” occurred when a former employee downloaded customer records, which were then hacked and posted on-line. That former employee has been suspended by the SEC, but it was the fine of Morgan Stanley that is the real story because this wasn’t a breach of the company’s defenses.
The SEC’s fine was based on two control failures.
First, the SEC asserted that Morgan Stanley failed to monitor its employees from accessing the records of customers where they were not authorized to do so. While there were some controls in place to prevent such actions in its internal data portals, a glitch permitted Morgan Stanley employees to access all customer records through a certain type of report.
Second, while the company had a control in place to prevent the use of thumb drives to download customer records, there was no corresponding control for uploading records on-line. Combined, those holes allowed one employee to access customer records and upload them to the internet.
This is an important lesson for companies because unlike most breaches we hear about in the news, this was not a hack of the company itself. Morgan Stanley is being fined for its employee’s bad acts. Would the SEC fine Morgan Stanley if one of its employees printed customer records and then left them in a briefcase on a subway train? Perhaps.
The takeaway for companies is that they may be liable for cyber theft even where its own external defenses are in good shape and have not been breached. Time to brush up the internal policies and protocols.