Morgan Stanley Smith Barney LLC (“Morgan Stanley”), a registered broker-dealer and investment adviser, agreed to pay $1 million to settle administrative proceedings brought by the SEC after it found that, in violation of Regulation S-P, Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer records and information. Although Morgan Stanley had established certain policies and restrictions regarding its employees’ access to, and use of, confidential customer data, and implemented certain technology controls designed to prevent employees from copying data onto removable storage devices and from accessing certain websites, the SEC found that the firm failed to ensure that its policies and procedures were reasonably designed and properly operated.
In its Order, the SEC notes that examples of Morgan Stanley’s failures include (i) maintaining authorization modules that were ineffective in restricting unauthorized access to information; (ii) not testing the modules since they were created about 10 years ago; and (iii) not monitoring user activity to identify any unusual or suspicious activity. Morgan Stanley was censured and agreed to pay a civil money penalty of $1 million.
The administrative proceedings were brought after a former Morgan Stanley employee, Galen Marsh, misappropriated data, including sensitive personally identifiable information, relating to approximately 330,000 different households. From approximately December 15, 2014 – February 3, 2015, portions of the stolen data were posted to various websites. Morgan Stanley discovered the breach on December 27, 2014 during one of its routine internet sweeps, and promptly took steps to remove the data. Morgan Stanley also alerted law enforcement and other authorities.
Related proceedings were instituted against Galen Marsh, who was criminally convicted, received 26 months of probation and ordered to pay $600,000 in restitution.