By Pete Schroeder
WASHINGTON (Reuters) -A Morgan Stanley unit has agreed to pay $35 million to settle Securities and Exchange Commission charges it repeatedly failed to safeguard personal information for millions of customers, the regulator said Tuesday.
The SEC said that for five years, Morgan Stanley Smith Barney failed to protect personal identifying information for 15 million customers. The firm agreed to pay the fine without admitting or denying its findings.
Dating back to 2015, the firm failed to properly dispose of devices containing sensitive information, including repeatedly hiring a moving and storage company with no proper expertise to decommission thousands of hard drives and servers, the SEC said. Those devices wound up being sold to a third party and ultimately auctioned online with the personal information intact and unencrypted. Only a portion of those devices were recovered, according to the regulator.
The SEC also said the firm lost track of 42 servers containing personal information when it was undergoing a hardware refresh program, and failed to activate existing encryption software on those devices for years beforehand.
“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” Gurbir Grewal, the SEC’s enforcement director, said in a statement.
In a statement, a Morgan Stanley spokesperson said the firm was pleased to resolve the matter, and had previously notified affected clients of the issues. The firm has not detected any unauthorized access or misuse of personal information, the firm added.
(Reporting by Pete Schroeder; Editing by Edwina Gibbs and Chizu Nomiyama)