The financial costs from Morgan Stanley’s ITAD project mismanagement have grown to over $163 million. (Part 1)
◾ The U.S. Securities and Exchange Commission (SEC) in September slapped Morgan Stanley Smith Barney (MSSB) with a $35 million fine.
◾ That was nearly two years after the Treasury Department fined the company $60 million.
◾ In August 2022, MSSB finalized a legal settlement obligating it to pay $68.2 million to protect customers whose personal information it can’t account for, as well as hire an outside firm to try to track down lost devices.
State attorneys general are also looking into the matter, and new details on the data loss incidents have also recently come to light.
♦ The legal issues all stem from IT asset decommissioning and refresh projects MSSB undertook between 2016 and 2019.
◾ MSSB hired a moving company with no data destruction experience to decommission two U.S. data centers in 2016; devices holding unencrypted customer data were eventually sold online.
◾ In 2019, MSSB simply lost track of dozens of devices containing customer data during an IT refresh project.
♦ MSSB hired a New York moving company; Triple Crown; to handle a 2016 project to decommission two data centers.
◾ MSSB had previously contracted with IBM to handle its ITAD work but canceled that contract in an attempt to save about $100,000.
◾ MSSB contracted Triple Crown to pick up, transport and decommission certain devices.
◾ MSSB knew that Triple Crown was strictly a moving company, with no experience or expertise in electronic data destruction.
♦ That same contract also identified an unnamed e-scrap management company that would wipe or degauss the devices and resell them, with 60-70% of the resale amount going back to MSSB.
◾ The document also called for MSSB to receive asset and disposition reports, along with certificates of destruction.
♦ The project involved 4,900 devices, many of which were non-data-bearing devices but some of which held thousands of pieces of unencrypted personal information and consumer report information for MSSB’s customers.
◾ The data-bearing material included 53 redundant arrays of independent disk (RAID) arrays that collectively contained approximately 1,000 hard drives.
◾ The moving company also removed approximately 8,000 backup tapes from one of the data centers.
♦ Early in the project, Triple Crown stopped working with that unidentified e-scrap company and began working with New Jersey-based AnythingIT without MSSB’s knowledge or approval.
◾ Triple Crown began selling drives to AnythingIT, which was told that the devices had already been wiped.
◾ AnythingIT then sold the data-bearing devices to Palm Beach, Florida-based IT asset management company KruseCom, which either destroyed or sold them online through an auction site.
More excellent, in-depth reporting on this case by Jared Paben, Associate Editor at Resource Recycling.