The U.S. Treasury Department has issued a major fine to Morgan Stanley for improper management of drives. Executives in the electronics recovery sector say the case reaffirms the warnings they have been giving to corporate partners for years.
In a statement to E-Scrap News, Bob Johnson, CEO of the National Association for Information Destruction (NAID), said the fine “has corporate risk managers shaking in their boots.”
“The improper disposal that resulted in this sanction goes back four years and is a reminder that historical bad practices eventually come home to roost,” wrote Johnson, who also authored a blog post about the case. “It is also likely that clients’ professional liability underwriters are paying close attention, and that clients will be required to demonstrate intense vendor selection due diligence in order to maintain their insurance coverages.”
On Oct. 8, the Office of the Comptroller of the Currency (OCC), part of the Treasury Department that regulates banks, released a consent order detailing the fine. The penalty, which Morgan Stanley Bank and Morgan Stanley Private Bank agreed to pay, was based on the failure of the banks to exercise proper oversight of the 2016 decommissioning of two Wealth Management business data centers in the U.S., according to an OCC press release. In 2019, the banks experienced similar vendor management control deficiencies while decommissioning other network devices with customer data, the release states.
The third-party ITAD vendor involved hasn’t been publicly identified by Morgan Stanley or the OCC.
According to the consent order, the OCC directed the bank to notify potentially impacted customers of the 2016 incident. The bank voluntarily notified those potentially impacted by the 2019 incident. Since the notifications went out this summer, multiple class-action lawsuits have been filed on behalf of clients.
In a statement to E-Scrap News, a Morgan Stanley spokesperson said that, as the company reported in July, the company doesn’t believe any client information has been accessed or misused.
“Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information,” according to the spokesperson. “Safeguarding our client’s information is of paramount importance.”
The following were reactions from a handful of ITAD company leaders on the news of the penalty (in alphabetical order by company name):
Serdar Bankaci, president of Greensburg, Pa.-based processor CyberCrunch, said it was only a matter of time before an ITAD company was involved in a data breach. In an in-depth response to the case, Bankaci said the vendor’s process could have broken down in the data destruction process and/or the documentation, which is just as important as the actual destruction.
“Without adequate records, it’s like the process never occurred,” he wrote. “The Morgan Stanley incident further affirmed my fears that many ITAD companies do not follow through on their documentation process. Unfortunately, delayed, incomplete or missing documentation is all too common in the industry.”
He emphasized the importance of proper paperwork and reporting, including the labor-intensive process of capturing serial numbers of equipment.
“We see multi-billion-dollar companies who decline asset reporting because it costs a few hundred dollars,” he wrote. “With IT budgets declining, CFOs and CTOs need to ensure that end-of-life asset management is factored into the total cost of ownership.”
Echo Consolidated Holdings Group (ECHG)
Tommy McGuire, president of ECHG and its subsidiaries, Echo Environmental, ITAD USA and Teladvance, wrote that the fine for failing to effectively dispose of IT assets from data centers and network devices “marks a significant warning to business leaders nationwide.” ECHG is a family of Dallas-area companies involved in ITAD, e-scrap recycling and IT services.
“Although IT procurement tends to get a lot of C-suite attention, IT asset disposal is often treated as an afterthought,” he wrote. “The OCC’s hefty penalty puts into the spotlight what ITAD service providers have been preaching to their clients for years – securely disposing of IT assets and the data they contain is critical to a company’s business success, building client trust, and protecting our environment. Ignoring ITAD’s importance can lead to lasting reputational damage and balance-sheet turmoil.
“As noted by the OCC, business leaders must allocate appropriate resources to keep track of their customer data, understand the perils associated with its disposal, make informed decisions in selecting ITAD service providers, and monitor the disposal process through successful completion,” McGuire continued. “The notion that one can simply ‘get a disposal certificate for the file and call it a day’ is a delusion. ECHG and other ITAD providers can play a vital role in guiding clients through the process and getting it right.”
IT Asset Management Group (ITAMG)
Frank Milia, a partner and NAID-certified secure destruction specialist at Farmingdale, N.Y.-based ITAMG, wrote on LinkedIn about the case and its implications. He believes the fine was so large because of the OCC’s accusation that the bank failed to exercise adequate due diligence in selecting the third-party vendor and failed to adequately monitor the vendor’s performance.
“In the most simplest terms it appears that Morgan Stanley did little to deter these breaches from occurring, but the impact of the breaches were multiplied by the inability to establish that any care was taken in their approach to data disposition and vendor management,” he wrote in his post.
ITRenew is a Newark, Calif.-based processor that has focused on the data center business.
Ali Fenn, president of ITRenew, said the fine “is fully deserved, but the question about responsibility remains. Morgan Stanley has an obligation to protect its clients’ data, and should have demanded that its decommissioning partner have bullet proof data sanitization software and the right operations and logistics to ensure immutable and auditable chain of custody. Decommissioning is first and foremost about data security. We are proud to say that in our 20-year history, and through numerous forensic audits, not a single byte of data has ever been found on an ITRenew wiped device.”
Sims Lifecycle Services (SLS)
SLS, part of publicly traded scrap metals giant Sims Metal Management, has shifted its focus in recent years from recycling consumer electronics to decommissioning data centers.
In a response, Sean Magann, global vice president of sales and marketing for SLS, had a number of takeaways from the Morgan Stanley case. Some ITAD vendors are great at moving material around and tracking shipments by the pallet, Magann wrote, but the Morgan Stanley case shows that tracking by the pallet wasn’t enough.
“They needed more specific tracking and traceability of each and every unit, because in this type of work you cannot afford to lose even one hard drive,” he wrote.
He wasn’t surprised by the incidents and penalty, he wrote. Even as he’s seeing more companies vetting their ITAD vendors, he still sees many treating ITAD and data center work as a commodity, choosing vendors partly on price.
“The irony is that to save a couple thousand dollars a year by choosing a sub-qualified vendor, they might be risking a multi-million-dollar lawsuit,” he wrote. “Some smaller vendors may not even have assets worth that much.”
More stories about data security
- Tracking service looks upstream of ITAD providers
- Survey probes COVID-19 e-scrap impact on enterprises
- How a processor brought drive wiping and repair to ITAD sites