What We Learned from The Morgan Stanley Breach
Morgan Stanley has agreed to pay $60 million to settle a class-action suit by consumers claiming the firm failed to safeguard their personal information.
The breach was initially disclosed in July 2020. It involved improper management of IT asset disposition.
In October 2020, the Office of the Comptroller of the Currency assessed a $60 million civil money penalty against the bank for engaging “in unsafe or unsound practices that were part of a pattern of misconduct.”
Within weeks, numerous class-action lawsuits had been filed. The cases were consolidated and subsequently, a year later, settled.
During this time, dozens of vendors wrote posts and issued press releases with a rudimentary claim — if you only use them, what happened to Morgan Stanley won’t happen to you.
This claim is misleading and harmful to the profession of IT asset management.
Facts In The Case
It is essential to understand the facts of the case. Morgan Stanley disclosed two breaches. In one, after purchasing assets from another vendor, a respected e-Stewards certified vendor resold assets that still contained Morgan Stanley customer data. On the other, retired assets went missing. An unnamed vendor claimed the assets were never received.
No vendor can protect an asset it doesn’t receive. And if a certified vendor is permitted to resell untested assets containing data, how effective is the standard?
The only way to protect your organization with absolute certainty is to track 100% of assets to guarantee chain of custody and obtain proof of data destruction.
Key Lessons
There are two key lessons we can draw from the Morgan Stanley breach.
- What can’t be tracked can’t be protected by any vendor.
- Working with a certified ITAD vendor does NOT guarantee success.
Defensible Disposition
When it comes to defensible disposition, how you manage matters more than whom you choose (assuming you already work with certified vendors).
Morgan Stanley’s slipup cost them $60 million in fines and another $60 million to settle a class-action lawsuit. Employees engaged in “specific acts of deceptive conduct” and “efforts to conceal” problems. Morgan Stanley reportedly terminated a vice president for his role.
Before you think employees fear personal exposure more than privacy laws, learn precisely why they are afraid.
The landmark federal complaint against Morgan Stanley cited my work as best practice. I’ll show you exactly why employees are afraid and how to fix the problem.
According to a Chinese proverb, the best time to plant a tree was 20 years ago. The second-best time is now. The best time to start tracking 100% of your assets is today. Schedule a call with me today.
How We Can Help
If you need a simple, vendor-agnostic approach for a defensible disposition, I would be pleased to share a strategy and outline the options. Call me at (888) 839-6555 or email kmarks@retire-it.com.