SEC fines Morgan Stanley $1 million for data-protection failures

The Securities and Exchange Commission slapped Morgan Stanley with a $1 million penalty to settle charges related to failures to protect customer data, the agency announced Wednesday. A former broker working in Morgan Stanley's wealth management group, Galen Marsh, was fired early last year for the theft of client data, which affected hundreds of thousands of the firm's clients. Now, the SEC is saying Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data, and violated what's known as the “Safeguards Rule.” “As a result of these failures, from 2011 to 2014, a then-employee impermissibly accessed and transferred the data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties,” the SEC said in a news release. “Given the dangers and impact of cyberbreaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” Andrew Ceresney, director of the SEC's enforcement division, said in the release. Morgan Stanley settled without admitting or denying the allegations. In a statement, Morgan Stanley said after it discovered the data breach it had promptly alerted law enforcement and regulators, and notified affected clients. "Morgan Stanley worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services, and has strengthened its mechanisms for safeguarding client data," the statement said. "No fraud against any client account was reported as a result of this incident.” The SEC took issue with two of Morgan Stanley's internal web applications, or portals, that allowed its employees to access clients' confidential account information. Morgan Stanley didn't audit or test modules authorizing access to such portals, and didn't monitor or analyze employees' access to and use of them, according to the SEC. That allowed Mr. Marsh to download and transfer confidential data to his personal server at home over a period of three years. Some of that data was ultimately stolen from him and posted on the internet. Mr. Marsh received a criminal conviction of three years' probation and a $600,000 restitution order for his actions. In August of last year, the Federal Trade Commission said it wouldn't take action against Morgan Stanley for the data breach because it determined the breach was due to a glitch in data security controls and not a failure on the firm's part to secure account information in a reasonable and appropriate manner.