Last week, one of America’s top-rated wealth management firms, Morgan Stanley (formerly known as Morgan Stanley Smith Barney, or MSSB), agreed to pay $35 million in fines after mishandling personal identifying information (PII) of an estimated 15 million customers.

About the incident

According to a press release from the U.S. Securities and Exchange Commission, a recently concluded investigation revealed that for over seven years, Morgan Stanley has been incorrectly disposing of devices containing customers’ PII.

“On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers. MSSB failed to properly monitor the moving company’s work…  the moving company sold to a third party thousands of MSSB devices including servers and hard drives, some of which contained customer PII, and which were eventually resold on an internet auction site without removal of such customer PII.”

Morgan Stanley was able to recover some of the devices, but the majority have not been located. Investigators also discovered that 42 unencrypted servers (potentially containing PII) were missing after the company decommissioned local office hardware – a finding which is even more egregious considering that the devices had encryption capabilities.

Gurbir S. Grewal, Director of the SEC’s Enforcement Division shared his thoughts on the investigation:

“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so. If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”

While Morgan Stanley did not admit to any wrongdoing, the company “consented to the SEC’s order finding that the firm violated the Safeguards and Disposal Rules under Regulation S-P” and agreed to pay the $35 million in fines.