Over the past few years, many businesses and organizations have zeroed in on the risks posed by digital footprints, connecting them to phishing attacks that can lead to fraudulent financial actions, locked files, or stolen customer data. But this fall, a massive settlement with the U.S. Securities and Exchange Commission (SEC) highlighted another risk, one that many consumers probably assume businesses already take steps to prevent. In September, Morgan Stanley Smith Barney (MSSB) agreed to pay $35 million to settle charges that it had improperly handled the Personally Identifiable Information (PII) of 15 million customers over a five-year period. While it may seem challenging to feel surprised by this latest corporate data breach, the details in the Morgan Stanley case stand out. Gurbir S. Grewal, Director of the SEC’s Enforcement Division,notedthat “MSSB’s failures, in this case, are astonishing.” Instead of digitally shredding decommissioned hard drives and servers, or ensuring that a trusted vendor did so, Morgan Stanley passed them off to a moving and storage company with no information security expertise. The contracted company then sold the devices to another company, leading some hardware to pop up on auction sites. In 2017, an IT consultant in Oklahoma bought some of the hard drives, realized he could access customer data, and wrote Morgan Stanley to alert them to their reckless security practices, according to theNew York Times. While Morgan Stanley eventually recovered some of the hardware (discovering unencrypted data), most has not been located. Additionally, during a local and office branch server refresh, Morgan Stanley learned it hadn’t activated encryption software on the devices—even though they were equipped with it. While updating hardware, they also found that 42 servers were missing.
What went wrong for Morgan Stanley?
It’s simple to point out the places where Morgan Stanley could have handled customer information more responsibly. For example, destroying data in-house before decommissioning machines, working with vendors who could confirm digital shredding before resale, and (obviously) turning on encryption capabilities. But it’s also worth pointing out that Morgan Stanley likely didn’t need to permanently store so much PII in the first place. Data expiration guidelines and automatic purges might have helped limit the damage. The Morgan Stanley settlement is a great reminder for companies regularly decommissioning equipment—whether that’s hard drives, servers, or even copy machines—to put practices in place that ensure customer and staff PII is safe. Fax machines can also be included here, though most use random access memory rather than hard drives. Regardless, it’s still a good policy to erase stored images when disposing of. Ultimately, encryption is key, and it’s important long before hardware is decommissioned. There’s no reason why sensitive data should be kept in a way that’s not secure.
The Botdoc Way
Botdoc allows companies to engage with other parties securely with end-to-end encryption; without the need for pins, passwords, logins, accounts, apps or software to download. Companies are reducing operational friction while improving their cyber security posture; closing more transactions faster, with less human error than any other security solution on the market. Everything transported through Botdoc is tracked like shipping so companies can ensure documents and data are properly delivered. Providing a better customer experience is a Botdoc mission, giving customers back more time and minimizing friction in their day-to-day business operations. — Botdoc offers secure file transport with end-to-end encryption. After a customer, client or partner transports data, our API places that data exactly where it needs to go in your system of record, limiting the potential for human error and compliance violation. Once Botdoc confirms receipt of delivery, we automatically purge the data from our platform, while keeping only the metadata (tracking information) on the transaction. Botdoc provides easy, secure, customer-centric, remote, end-to-end encryption, all without the logins, passwords, third-party portals, PINs, software, and apps that frustrate customers.