SEC Issues $1 Million Data Breach Penalty
SEC Issues $1 Million Data Breach Penalty

The Securities and Exchange Commission (SEC) has just issued its first massive fine for failure to protect consumer data, issuing a civil money penalty in the amount of $1 million against Morgan Stanley in association with a breach that occurred between 2011 and 2014 via its client services associate, an individual named Galen Marsh.

The SEC found that Morgan Stanley “failed to adopt written policies and procedures reasonably designed to protect customer data,” an oversight which gave a past employee the ability to access and transfer the data of 730,000 accounts to his personal server, which was ultimately hacked by third parties. Some of the data ended up for sale online. The order alleges that Morgan Stanley lacked adequate authorization modules to restrict employee access to customer data (improper access controls) and had no technologies in place to monitor the access or use of customer data.

Morgan Stanley agreed to settle the charges without admitting or denying the findings. The individual who copied the data, Galen Marsh, was criminally convicted for his actions last year and received 36 months of probation and a $600,000 restitution order. In a separate order, Marsh further agreed to an industry and penny stock bar, with the right to apply for re-entry after 5 years.

The SEC began enforcing data security failings in 2015, with this being their first major financial penalty, coinciding with the SEC’s second round of cybersecurity examinations and its issued commitment to data protection through tighter regulations and enforcements.  This latest penalty underlines the importance of protecting against the Insider Threat.

The SEC is the latest regulatory body to up the pressure on organizations, joining the pressure already present from State / Federal attorneys and other industry regulators (such as FINRA, in the financial sector), as well as the now commonplace class action lawsuit. It is imperative that financial institutions be able to prove that policies, procedures and technologies are in place to protect data and to respond quickly to data breaches, should they occur. In a recent whitepaper, How Financial Services Firms Can Bolster Security by Leveraging Persistence Technology on the Endpoint, we discuss recent security trends in the industry and how Persistence technology by Absolute can play a role in data protection.