• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • location_onContact
  • (330) 673-9500

Ickes \ Holt LLC

Information Security. Corporate Law. Litigation

  • Home
  • Attorneys
    • James Ickes, Esq., HCISPP, GLEG
    • Joel A. Holt, Esq., CIPP/US
  • Practice Areas
    • INFORMATION SECURITY & PRIVACY
      • A Call to Action
      • Data Breach Lawsuits
    • MEDICAL CANNABIS
    • LITIGATION
    • CORPORATE LAW
    • TRANSACTIONAL LAW
  • Insights
  • Our Philosophy
  • Payment Portal
  • Search

Jul 22, 2016 Leave a Comment

Morgan Stanley Smith Barney Not “Too Big To Fail” Sec Administrative Proceeding

In October 2008, Morgan Stanley received SEC.Morgan-Stanleya $10 billion bailout from the U.S. Government.  Morgan Stanley, amongst other financial institutions, were simply “too big to fail.”  In 2016, however, the Securities and Exchange Commission (“SEC”) determined that one of Morgan Stanley’s subsidiaries, Morgan Stanley Smith Barney (“MSSB”) was not “too big to fail” an SEC administrative proceeding.  On June 8, 2016, the SEC issued an order against MSSB for its violation of the Safeguards Rule (Rule 30(a) of Regulation S-P).  The Order instituted an administrative cease and desist for violations of the Safeguard Rule and levied a $1 million civil penalty.[i] 

The gist of the underlying facts are as follows.  MSSB maintained substantial personally identifiable information (“PII”) in 2 specific Web applications accessible through MSSB’s intranet.  MSSB had adopted written policies and procedures intended to restrict employees access to, and handling of, customer PII. Under these policies, MSSB employees were prohibited from accessing PII other than what was necessary to perform specific responsibilities.  MSSB also installed technology controls, including: (1) authorization protocols designed to allow employees access to only PII belonging to that employee’s customers; (2) controls restricting employees from copying data onto removable storage devices; and (3) controls restricting employee access to certain categories of websites via MSSB computers.[ii]

In or about 2011, a MSSB employee (“Marsh”) discovered multiple flaws in the security of MSSB’s technology controls which ultimately allowed him to circumvent all restrictions and obtain unauthorized access to customer PII.    Marsh was able to download and transfer the PII by accessing his personal website from his MSSB computer and uploading the PII to his personal server.  MSSB’s filtering software did not prevent employees from accessing “uncategorized” websites from MSSB computers.  During a routine Internet sweep in December 2014, MSSB identified some of the PII for sale on the Internet.  Ultimately, MSSB determined that a third party hacked Marsh’s personal server and copied the PII.[iii]

The Safeguards Rule requires covered organization to “adopt written policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”[iv]   According to the Order, MSSB violated the Safeguards Rule because: (1) its existing policies and procedures were not reasonably designed to meet the Rule’s objectives; (2) its technology protocols contained design flaws which rendered them effectively useless; (3) it failed to reasonably audit/test the technology protocols in place; and (4) it failed to monitor and analyze employees’ access to the customer PII.[v]

There are multiple lessons to be taken from MSSB’s settlement:

Lesson 1:  The MSSB settlement provides valuable insight into what is clearly the SEC’s very strict definition of “reasonable” security.  By most standards, MSSB actually complied with the Safeguards Rule.  MSSB had written policies and procedures and technology controls meant to address the Safeguards Rule.  Moreover, unlike many companies out there, MSSB’s discovery of, and incident response to, the data breach was quick and  effective:

  • MSSB discovered the compromised data within what appears to be a matter of a week or so once it was posted for sale online.
  • MSSB discovered the exposed PII during a regular sweep of the Internet which demonstrates they have someone actively monitoring potential risks.
  • MSSB swiftly took steps to remove the PII from the Internet and notified proper authorities.
  • MSSB immediately started an investigation and within a few days of discovering the breach, procured an admission from Marsh.
  • MSSB began notifying affected customers by January 5, 2015, just 9 days after discovering the breach.

MSSB recognized its obligation under the Safeguards Rule, devoted resources to the issue, and took meaningful steps to comply.  In fact, the Federal Trade Commission declined to bring charges against MSSB under Section 5 for the exact same incident, citing MSSB’s “comprehensive policies designed to protect against insider theft[.]”[vi] Yet, the SEC found MSSB’s violation “willful” and levied its largest monetary sanction to date.  It is clear that what the SEC has lacked in terms of quantity of enforcement actions, it intends to make up for in terms of severity.

The MSSB settlement ultimately presents an unavoidable question for entities under SEC jurisdiction:  If MSSB’s robust policies, procedures, and protocols (albeit flawed) are insufficient to avoid SEC sanctions under the Safeguards Rule, is the end result even arguable in a case where the organization adopts minimal policies, procedures and protocols, or fails to adopt any whatsoever?

Lesson 2:  Perhaps MSSB’s most crucial mistake was to rest on its laurels.  MSSB adopted policies and procedures and employed technological safeguards, but then inexplicably stopped.  In fact, according to the SEC, MSSB “failed to conduct any auditing or testing of the authorization [protocols] … at any point since their creation at least 10 years” prior.[vii]  That is astounding … and likely a contributing factor to the SEC’s determination that MSSB’s violation was willful.

From flawed controls on the Web applications, to the failure to install authorization protocols on certain applications, to inadequate Internet filters, to a breakdown in written policies and managerial oversight, it is safe to say that MSSB’s information security was a house of cards.  Further, the evidence indicates that MSSB did not follow its written policies and procedures and that employee training, accountability and supervision were not organizational priorities.   While there is no such thing as perfect security, these failings indicate that MSSB’s underlying procedural and technical flaws were exacerbated by an organizational culture of complacency.

Lesson 3:   It is dangerous to hyper-focus on external threats.  As pointed out repeatedly in this blog, internal threats and insiders (malign or benign) are an increasingly probable threat vector.  MSSB was exploited by a single insider, who was then exploited in turn by a single outsider.  MSSB managed to keep the external threat at bay, but handed the keys to the kingdom to an insider who them lost them anyway.  Organizations must split their focus and keep their own house in order.  Employee training and accountability must be meaningful and sustained.  Internal access controls must be in place, operational, and enforceable. Auditing, testing, and recalibrating must be an ongoing process.  Supervision and accountability from the executive level must be a priority.

Lesson 4:   The SEC is getting serious.  According to SEC Chair Mary Jo White, cyber security is the biggest risk facing the financial system.[viii]   Regulation S-P has been around since 2000, and the requirement of written policies has been in effect since 2005.  However, only recently has the SEC ramped up examinations and enforcement actions related to cybersecurity.  Cybersecurity compliance and controls, including governance, access controls, training, and incident response, were the focus of the Office of Compliance Inspections and Examinations 2015 Cybersecurity Examination Initiative.[ix]  Perhaps more importantly, as indicated in the MSSB settlement, the SEC is taking a hard line on its expectations of reasonable security and will not accept excuses or half measures.

ICKES \ HOLT is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and ICKES \ HOLT is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.

[i]  https://www.sec.gov/news/pressrelease/2016-112.html

[ii]  https://www.sec.gov/litigation/admin/2016/34-78021.pdf

[iii] Id.

[iv] Id. at ¶3

[v] Id.

[vi] https://www.ftc.gov/system/files/documents/closing_letters/nid/150810morganstanleycltr.pdf

[vii] https://www.sec.gov/litigation/admin/2016/34-78021.pdf at ¶8

[viii] http://www.reuters.com/article/us-finance-summit-sec-idUSKCN0Y82K4

[ix] https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf

Categories: Consumer Privacy/Security, Cybersecurity

Reader Interactions

Leave a Comment Cancel

Primary Sidebar

Articles & News

Dec 10

Co-Parenting through Covid

Apr 09

TELEHEALTH RESTRICTIONS LIFTED

Mar 24

Guidance from HHS to First Responders Related to COVID-19

Categories

Our Reviews

Dianna Hendrickson
Dianna Hendrickson

5 out of 5 stars

posted 3 months ago

We were very happy with the service provided us. Joel was keen on details and doing things right the first time. We truly appreciated his looking out for us on what some lawyers might have passed off as an insignificant matter.

Heather Richmond
Heather Richmond

5 out of 5 stars

posted 5 months ago

I have been working with Jim Ickes at Ickes & Holt for the last three years. He has literally helped me to navigate my business legally and strategically. Even in California were I have resided I avoided going with the firms out here in Los Angeles. With Jim and his team I appreciated there midwest values and there approach to working with clients. Not only would I recommend him and his firm to everyone I work with I will continue to seek this wise counsel and the work the really do care about. I really feel he has sincerely cared about helping my business grow, Thank you Jim and Ickes and Holt!!

Danielle Kuestner
Danielle Kuestner

5 out of 5 stars

posted 1 week ago

I'm a college kid who Mr. Holt assisted. I also have a lot of anxiety and Mr. Holt helped ease the process of what I was going through legally, always reached out, and communicated with me about my case and the progress of it.

Read All 44 Reviews

Footer

Let’s Talk

Recent News

REGARDING PRIVACY OHIO SETS A HIGH BAR FOR MEDICAL MARIJUANA

Over the last few years, agencies such as the Federal Trade Commission have fostered a movement to encourage industry to implement the concept of privacy-by-design.  The idea behind privacy-by-design ... Read More

NFL and Players May Join Forces on Medical Marijuana

The National Football League generated $13 billion in revenue in 2016.[i]  The next closest professional sports league was Major League Baseball at $9.5 billion.  In comparison, the Premier League and ... Read More

Social Media

FacebookLinkedin

4301 Darrow Road, Suite 1100 | Stow, OH 44224
(330) 673-9500 p

© 2021 Ickes Holt | a full-service law firm