Businesses large and small have an obligation to protect the customer data they use as part of their business. One of the country’s largest financial concerns failed to do just that, and were hit with millions in fines. It wasn’t hackers, or cyber terrorists that took on Morgan Stanley Smith Barney. It was the company’s own failure to understand the correct way to…recycle. And it could happen to any business not keeping track of their trash.
Five years and millions of customers
Over a five year period, Morgan Stanley retired thousands of computers, hard drives and servers that had come to the end of their useful life. The bank hired a moving company to decommission those computers. But the moving company did not destroy the computers or the hard drives, they sold them. The buyers sold them again, and eventually many of them showed up on an internet auction site. The problem? The hard drives and servers…thousands of them… still had Morgan Stanley customer personal data on them.
The Securities and Exchange Commission (SEC) hit Morgan Stanley with a $35 million dollar fine for failing to protect the Personally Identifiable Information (PII) that was still on those computers. The SEC charged that Morgan Stanley failed in their responsibility to protect their customer’s information over that five year period…leading to the release of PII for up to 15 million customers.
The failure had nothing to do with how big the company is
Where did this giant bank go wrong and why should small and medium sized businesses learn a valuable lesson? Morgan Stanley failed to think through a process that happens every day in this time of rapidly changing technology. Companies big and small will occasionally need to upgrade their computer systems, from desktop units to the servers and hard drives that hold and manage our data-rich world. Often called a “refresh”, this process can leave client and customer information vulnerable, just like the millions of Morgan Stanley customers caught up in this mess.
In scheduling a large refresh, Morgan Stanley hired a moving and storage company to “decommission” thousands of computer hard drives and servers. It’s unclear whether the contract with Morgan Stanley required the company to destroy the drives, but the SEC claimed the financial institution failed to monitor the work of the moving company. The moving company admitted that it had absolutely no experience or expertise in data destruction. It’s unclear whether the moving company ever intended to destroy the devices.
A hard lesson
Obviously Morgan Stanley should have had better control over the actions of a contractor. Beyond that, the bank should not have relied on a company with no experience or expertise in the process of data destruction to decommission this equipment. There are companies that not only have the data destruction experience and expertise, but hold various certifications that provide proof their process ensures the complete destruction of any data.
Electronic waste (ewaste) recyclers take the concept of “decommissioning” a step further. Hard drives and servers are not just erased, they are taken apart and reduced to parts, all inside a secure facility. This is the only way to guarantee that all data is destroyed.
Morgan Stanley, ranked as the 61st largest company in the U.S. by Fortune magazine is not alone in this type of misstep, and companies much smaller face the same potential for lost data, lost customer trust, and potential fines and loss of business. Any business that keeps their customer’s data on an electronic device (computer, phone, office automation, etc.) needs to consider what happens to that equipment when they are done using it.
Mayer Alloys Corporation, in partnership with OmniSource Electronics Recycling, an R2 Certified Recycler, provides peace of mind that you are disposing of your organization’s electronic waste safely and responsibly. All electronic waste is recycled in an R2 Certified facility. All hard drives are destroyed and Certificates of Destruction in compliance with Department of Defense (DoD) security standards are provided. For more information about electronic recycling check out our Ultimate Guide To Corporate Electronic Recycling and reach out to firstname.lastname@example.org for more information.