On July 9th, Morgan Stanley began notifying customers that a vendor failed to properly remove client data from hardware from two data centers that were closed in 2016. It was also discovered in 2019 that old servers from some branches could not be located.
According to data breach notifications sent to state Attorneys General, only a “small number” of servers were unable to be located. Morgan Stanley must hope it is too small to fail.
Within days of disclosure, a pair of class action lawsuits had been filed. In a previous post, I posed the question, how would your ITAM program survive bone-crushing discovery if a missing computer is suspected in a breach?
Plaintiffs are eager to demonstrate defendants ignored obligations. Easily-discoverable information makes IT asset management (ITAM) in general, and IT asset disposition (ITAD) in particular, prime targets for bone-crushing discovery.
Naturally, we should expect plaintiffs to ask, how do we know only a “small” number of servers is missing?
Inventory discrepancies during the disposal phase of ITAM represent the ITAD Gap. The bigger the gap, the bigger the exposure. Morgan Stanley wants Attorneys General to believe that its ITAD Gap is very “small.”
Morgan Stanley is not alone. Every company has an ITAD Gap, which is why every company should treat ITAD as a security threat.
Unfortunately, it appears Morgan Stanley missed a window of opportunity to detect and correct problems before incidents became breaches. There is a “golden hour” at the onset of an ITAD incident when well thought out planning and effective response can make or break the situation.
Also unfortunate, it also appears Morgan Stanley may have fallen victim to believing encryption was a silver bullet with ITAD. Too often encryption is a justification for disregarding chain-of-custody procedures during ITAD. Encryption is not a silver bullet in ITAD.
Time will tell what really happened. A judge or jury may decide if safeguards were ignored. What is known, organizations face more severe sanctions and punitive litigation if it disregards obligations and a breach is later discovered. Prevention is key. Detection is a must. Independent verification is required.
Could this be the looming ITAD Black Swan? If it turns out the prediction proves true, your company can still avoid being one of the Taleb’s “turkeys.”
Close the gap without changing a vendor. If you want to ensure your ITAD program could withstand bone-crushing discovery, please ping me.
Respectfully,
Kyle