Does Morgan Stanley Hope It’s Too Small to Fail?

On July 9th, Morgan Stanley began notifying customers that a vendor failed to properly remove client data from hardware from two data centers that were closed in 2016. It was also discovered in 2019 that old servers from some branches could not be located.

According to data breach notifications sent to state Attorneys General, only a “small number” of servers were unable to be located. Morgan Stanley must hope it is too small to fail.

Within days of disclosure, a pair of class action lawsuits had been filed. In a previous post, I posed the question, how would your ITAM program survive bone-crushing discovery if a missing computer is suspected in a breach?

Plaintiffs are eager to demonstrate defendants ignored obligations. Easily-discoverable information makes IT asset management (ITAM) in general, and IT asset disposition (ITAD) in particular, prime targets for bone-crushing discovery.

Naturally, we should expect plaintiffs to ask, how do we know only a “small” number of servers is missing?

Inventory discrepancies during the disposal phase of ITAM represent the ITAD Gap. The bigger the gap, the bigger the exposure. Morgan Stanley wants Attorneys General to believe that its ITAD Gap is very “small.”

Morgan Stanley is not alone. Every company has an ITAD Gap, which is why every company should treat ITAD as a security threat.

Unfortunately, it appears Morgan Stanley missed a window of opportunity to detect and correct problems before incidents became breaches. There is a “golden hour” at the onset of an ITAD incident when well thought out planning and effective response can make or break the situation.

Also unfortunate, it also appears Morgan Stanley may have fallen victim to believing encryption was a silver bullet with ITAD. Too often encryption is a justification for disregarding chain-of-custody procedures during ITAD. Encryption is not a silver bullet in ITAD.

Time will tell what really happened. A judge or jury may decide if safeguards were ignored. What is known, organizations face more severe sanctions and punitive litigation if it disregards obligations and a breach is later discovered. Prevention is key. Detection is a must. Independent verification is required.

Could this be the looming ITAD Black Swan? If it turns out the prediction proves true, your company can still avoid being one of the Taleb’s “turkeys.”

Close the gap without changing a vendor. If you want to ensure your ITAD program could withstand bone-crushing discovery, please ping me.

Respectfully,

Kyle

Recent Posts

  • In The News

Defensible Asset Disposition Framework

Breach after breach has shown that IT asset disposition is a blind spot. The Defensible…

2 months ago
  • In The News

Certification vs Verification in ITAD

Certification in ITAD proves vendor credibility, while verification ensures ongoing compliance. Veridy Verification enhances security,…

4 months ago
  • In The News

USAID’s Reckless ITAD Gamble

Federal Agency takes risky ITAD gamble with remote wiping. Fired USAID workers will have to…

5 months ago
  • In The News

3 Myths About Fixing Bad ITAD

ITAD fears costing you? Debunk 3 myths! Fixing IT asset disposition is simpler, cheaper, &…

5 months ago
  • In The News

ITAD Asbestos

CISO Alert: Don't let ITAD blind spots become a career-ending SEC fine. Neglected IT disposal…

6 months ago
  • In The News

CISO Guide to ITAD

CISO Alert: Don't let ITAD blind spots become a career-ending SEC fine. Neglected IT disposal…

6 months ago

This website uses cookies.