If they haven’t already, companies that handle customers’ personal information should read a letter released recently by the Federal Trade Commission that concludes an investigation by the agency into data security practices at Morgan Stanley.
The probe by the FTC followed Morgan Stanley’s firing in January of a financial adviser who downloaded and took home with him details for the accounts of 350,000 of the firm’s roughly 3.5 million wealth-management clients. Morgan Stanley later discovered some of the information on Pastebin, a file-sharing site.
Though the information reportedly included account names and numbers, account values and states of residence, the bank said that no clients incurred financial harm as a result of the breach. Law-enforcement officials later investigated whether hackers obtained the information from the adviser’s computer and posted the details online.
Two factors influenced the FTC’s decision to end its investigation without charging Morgan Stanley with failing to secure the information in violation of federal law, which prohibits unfair or deceptive acts or practices by businesses.
First, the FTC found that Morgan Stanley maintained “comprehensive policies designed to protect against insider theft of personal information.” According to the agency, the firm limits access by employees to data for which they have a business need, monitors data transfers by employees, prohibits use of USB flash drives and other devices that can be used to remove data, and blocks access by employees to websites the firm regard as high-risk.
Second, although the adviser was able to obtain a “narrow set of reports” for which Morgan Stanley had configured controls improperly, the company fixed the problem quickly after the breach came to its attention.
“We continue to emphasize that data security is an ongoing process,” the FTC wrote. “As risks, technologies, and circumstances change over time, companies must adjust security practices accordingly. As employees increasingly use personal websites and a host of online applications, companies should deploy appropriate controls to address the potential risks of broad access to such resources on work devices.”