Why was Morgan Stanley fined for data disposal failures?

Morgan Stanley was fined $60M+ for negligent data disposal practices—retiring servers and hard drives containing unencrypted client PII without proper sanitization or chain-of-custody documentation.

What compliance requirements did Morgan Stanley violate?

Morgan Stanley violated SEC Regulation S-P (Safeguards Rule) and state data protection laws by failing to implement reasonable data disposal policies for end-of-life IT equipment.

Case Study & Compliance

Major Bank Faces $35 Million SEC Penalty for Data Protection Failures

A detailed analysis of how improper IT asset disposition led to massive regulatory penalties and exposed millions of customer records. Learn critical lessons for your organization.

The Case Background: What Went Wrong?

This case demonstrates how a major financial institution's failure to properly oversee data center decommissioning resulted in one of the largest data protection fines in financial services history. The series of failures began in 2014 and had repercussions that lasted nearly a decade.

The Initial Agreement

The bank signed a contract with a moving company for data center decommissioning. The agreement specified that an IT company would provide data wiping or degaussing services before selling devices, and detailed reports with certificates of destruction (COD) would be provided for audit purposes.

Timeline of Critical Failures

The decommissioning process in 2016 revealed a chain of oversight failures that ultimately led to the massive data breach:

Vendor Switch Without Notification

The moving company stopped working with the original certified IT company and engaged a different vendor without notifying the bank. Inventory tracking and certificates of destruction stopped being provided, but the bank failed to notice this critical change.

No Data Wiping Performed

Despite having data destruction capabilities, the new IT company was never asked to wipe the drives. They were under the impression that data had already been erased. The drives were sold at online auctions still containing sensitive customer information.

Failure to Review Documentation

The new vendor provided Certificates of Indemnification (COIs) instead of Certificates of Destruction (CODs). The bank should have noticed the different logo and letterhead, but never reviewed the documents. If reviewed, they would have known drives were not being wiped.

Encryption Not Activated

Most devices came with encryption features that the bank did not activate until 2018 — two years after the problematic decommissioning began. This meant data on older devices remained completely unprotected.

The Whistleblower Alert

On October 25, 2017, the bank received an email from an IT consultant in Oklahoma who had purchased hard drives through an online auction. The consultant's message was direct and damning:

"You are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware. Or at the very least getting some kind of verification of data destruction from the vendors you sell equipment to."

It was only after this alert that the bank finally launched an investigation into the 2016 data center decommissioning activities.

Scale of the Data Exposure

The scope of the breach was staggering:

4,900

Devices handled by moving company

8,000

Backup tapes removed from data centers

140,000+

Pieces of consumer PII on recovered drives

15M

Customers notified of potential exposure

In July 2020, the bank notified approximately 15 million affected customers that "some devices assumed to have been erased of all information nonetheless included some unencrypted data" potentially containing PII. The great bulk of the hard drives from the 2016 decommissioning remain missing to this day.

Regulatory Violations and Penalties

The SEC cited violations of two critical rules that have been in effect since 2005:

Safeguards Rule (Rule 30(a) of Regulation S-P)

Requires covered entities to adopt written policies and procedures addressing administrative, technical, and physical safeguards for the protection of customer records and information. The bank failed to develop written policies for protecting customer data during decommissioning.

Disposal Rule (Rule 30(b) of Regulation S-P)

Requires entities that maintain consumer report information to take reasonable measures to protect against unauthorized access during disposal. The bank kept devices with consumer data but did not take reasonable precautions during decommissioning.

Total Financial Impact

This single data breach incident resulted in multiple regulatory and legal actions:

$60M

OCC penalty for data protection lapses

$60M

Data breach lawsuit settlement

$35M

SEC fine for continuing violations

Total penalties: $155 Million — and this doesn't include the cost of customer notifications, remediation efforts, legal fees, and reputational damage.

Regulatory Message and Industry Implications

The SEC Enforcement Division's Director stated in the press release:

"The failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected. If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today's action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data."

This enforcement action signals that regulators will not tolerate any infringement of personal data protection, and violations will not go unpunished. Privacy and data protection laws continue to strengthen, and businesses must be extra cautious with data security.

Critical Lessons for Your Organization

This incident serves as a stark warning for all businesses that data sanitization and destruction are as crucial as data management:

Develop Written Policies: Create standardized data destruction policies and implement them as part of data management
Verify Vendor Compliance: Actively monitor third-party vendors and verify they follow agreed-upon procedures
Review All Documentation: Carefully examine all certificates and reports provided by disposal vendors
Maintain Chain of Custody: Keep detailed records of all IT assets from acquisition to final disposal
Enable Encryption: Activate encryption features on all devices as an additional layer of protection
Choose Certified Partners: Work only with certified ITAD vendors who provide verifiable proof of destruction

Protect Your Organization from Similar Penalties

D-Secure provides certified data erasure solutions with verifiable proof of destruction, helping you avoid the costly mistakes that led to this historic penalty.

Request Free Demo View Products

Frequently Asked Questions

Comments (0)

Your email address will not be published. Providing an email is optional.

No comments yet. Be the first to comment.

Have Questions About This Topic?

Send us an enquiry regarding: Morgan Stanley Fine