A Big Lesson From a $60M Fine for Poorly Performed Data Disposition

Last week the Department of the Treasury OCC levied a $60 million dollar fine to Morgan Stanley for data breaches that occurred from poorly managed IT asset disposition projects associated to data center decommissioning activities in 2016 and additional disposal events in 2019. 

In a recent consent order the OCC describes that the bank “…failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices.”

The responsibility to stop unauthorized access to protected data is disproportionately the responsibility of the data controller, in this case Morgan Stanley. Detailing all of the security controls required to lower risk would not be possible in this short article. In reality there is no one tool, vendor, process, method, policy, or procedure that one could point to that would have guaranteed the bank hundred percent security. 

Secure management of data disposition, especially for large enterprises, requires a robust program that includes policies, procedures, assigned accountability, employee training, contracting and vendor due diligence requirements, and a process for strict oversight of activities all working together to minimize the risk of exposure and regulatory non-compliance.

From a reading of the previously mentioned description from the OCC it would be easy to characterize Morgan Stanley’s management of these data disposition activities as a failure by every measure. However, it is the following accusation by the OCC that most likely explains why the fine is so high “The Bank failed to exercise adequate due diligence in selecting the third party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance”.

Typically, regulatory fines are reduced when the organization under investigation is able to prove that reasonable steps to protect private data were taken. In other words, mistakes will happen but if an organization can display that they have formal and documented data disposition procedures that includes vendor due diligences the penalties for an incident will likely be reduced.

At this time Morgan Stanley has yet to disclose the vendors utilized to perform these services. Considering the OCC’s claims that the bank failed to perform due diligence and oversight of the vendor’s practices it is likely that Morgan Stanley is unable to effectively shift the liability and financial responsibility to the contractor. 

Although there is no legal mechanism for Morgan Stanley to be indemnified of their regulatory obligations, they theoretically would be able to recoup some of the financial impact of the fine if there were well written contracts, documented performance testing and due diligence records. 

Performing documented due diligence in vendor selection and ongoing auditing of a vendor’s practices will significantly reduce the financial impact of breach or other regulatory non-compliance by reducing fines and ensuring an effective method for suing vendors that break contractual obligations. Vendor due diligence should include documented investigation of a vendor’s policies, procedures, methods, breach notification systems, training programs, third party certifications and key management system protocols at selection and at minimum on an annual basis. 

In the most simplest terms it appears that Morgan Stanley did little to deter these breaches from occurring, but the impact of the breaches were multiplied by the inability to establish that any care was taken in their approach to data disposition and vendor management. 

Every organization is at a risk of data breach or regulatory fine associated to poor data disposition. The only way to both minimize the likelihood of an exposure and reduce the financial impact if one would to occur is by investing in your data disposition program and ensuring internal and external stakeholders are regularly tested, results are documented, and corrective actions implemented when applicable. 

Looking to reduce your risks from IT asset disposal?

Get the Best Practices Guide Today: