Lessons for electronics recyclers from Morgan Stanley data breach

During the second week of July, Morgan Stanley, which is a multinational investment bank and financial services company based in New York, notified customers and brokers of a potential data compromise.

According to a report from AdvisorHub, a news outlet for financial advisors, Morgan Stanley had hired a vendor to scrub devices from two data centers that closed in 2016, but the vendor had left some client data on the devices. Morgan Stanley has not disclosed the name of the vendor. Some of those servers and hardware were then sold to recyclers, and one recycler had notified Morgan Stanley of the data breach more than a year ago. 

The AdvisorHub report states that Morgan Stanley and technical experts are analyzing the potential risk to clients’ data, but no unauthorized activity related to the incident has been detected. The company has been offering customers potentially affected by the data breach a two-year subscription to its Experian credit reports.

AdvisorHub also reports that Morgan Stanley has filed a lawsuit alleging negligence and invasion of privacy over its vendor’s failure to properly scrub decommissioned hardware of personal information. 

This is not the company’s first data breach incident. In 2016, the bank had agreed to pay a $1 million fine to settle U.S. Securities and Exchange Commission civil charges that security lapses at Morgan Stanley had enabled Galen Marsh, a former financial adviser at Morgan Stanley, to tap into its computers and take client data home, according to a Reuters report from June 2016.

Lessons for electronics recyclers

Bob Johnson, CEO of the International Secure Information Governance & Management Association (i-SIGMA), Phoenix, has offered his perspective on the data breach notification from Morgan Stanley. 

“Most organizations don’t think about IT (information technology) assets discarded years ago, don’t think about the qualifications of the vendors they used years ago and don’t consider missing or improperly handled IT assets worthy of a breach notification,” Johnson says. “Morgan Stanley did. And in doing so, they did the right thing by their customers, by regulators, and, in the end, for themselves.

“While I like to think the company’s decision to issue the notification was because it was the right thing, I realize it was more likely that the decision was largely made from a risk management perspective—they realized the consequences would have been worse if any of those assets turned up later with personal information on them.”

Johnson lists the following as some takeaways for all organizations:

• There is risk in past careless IT asset disposal (ITAD) practices. “There is no statute of limitations or safe harbor for improperly discarded IT assets,” Johnson says. “The equipment at Morgan Stanley was discarded four years ago. If an organization didn’t practice due diligence with all service providers over the course of time, the organization is still liable. This not only applies to how electronic equipment was recycled, but copy machines, printers, video recording devices, etc.”
• Improper ITAD is a risk carried forward indefinitely. Johnson says there is no statute of limitations on future data breaches. “If a hard drive turns up five or 10 years down the road with personal information on it, it is still a data breach plain and simple,” he says. “Ignoring or missing improperly wiped electronic media today simply means there are a bunch of time bombs floating around. There is no worse fear for risk managers than known liabilities carried forward indefinitely.”
• Potential improper disposal of IT equipment must be investigated. If equipment with personal information turns up later, the second-worst thing an organization can do from a regulatory perspective is admit that it did not investigate the potential data breach, Johnson says.
• If discovered later, not reporting a potential breach will be much more costly than doing the proper notification. Johnson says the “first worst thing” an organization can do is not report a data breach. “Regulators and law enforcement are much tougher on organizations who do not warn victims they are [in] risk than they are on those who do,” he says. “Had Morgan Stanley not understood it was much riskier to remain silent than to make the notification, they may not have. I want to give them some credit for doing the right thing, but risk-reward calculation as certainly preeminent in the decision.”

Looking to the future, Johnson says organizations need to do a better job at mitigating data breaches and reporting data breaches. He says companies need to be sure they are accounting for IT equipment from the moment it’s acquired to the point it’s finally disposed as well as elevating the selection criteria, operating criteria, monitoring procedures and contracts of ITAD services they use.

“The right vendor should be able to guide any company through the host of compliance and risk minimization issues implicated in proper disposition. If they cannot do that, it’s the wrong vendor,” Johnson says.