Adopting Data Security Measures Is Not Always Enough to Ensure Compliance with the Safeguards Rule

The Securities and Exchange Commission views data security as a critical part of its investor protection mandate.  Rule 30(a) of Regulation S-P, known as the “Safeguards Rule” sets out certain procedures that every SEC-registered broker-dealer, investment company and investment adviser must adopt to safeguard customer records and information.  The Safeguards Rule requires these entities to adopt and implement written policies and procedures that must be “reasonably designed” to: (i) insure the security and confidentiality of customer records and information; (ii) protect against anticipated threats or hazards to the security or integrity of customer records and information; and (iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.  The sensitivities associated with customer records and financial information is plain and the Safeguards Rule reflects the importance assigned to maintaining the security of such data.

In June 2016, Morgan Stanley reached a million dollar settlement with the SEC for its violation of the Safeguard Rule, demonstrating the importance of not only adopting such policies, but more importantly, ensuring that they are effective.

Morgan Stanley’s databases stored sensitive personally identifiable information of individuals to whom Morgan Stanley provided brokerage and investment advisory services.  Between 2011 and December 2014, a Morgan Stanley employee repeatedly accessed those databases (beyond what he should have had access to) and improperly downloaded confidential data of approximately 730,000 customers to his personal server, which included personal information such as full names, street addresses, account numbers, account balances and securities holdings.  The employee’s personal server was then hacked by a third-party and portions of the data were posted to at least three Internet sites along with an offer to sell a larger quantity of the stolen data. Morgan Stanley discovered the data breach through one of its routine Internet sweeps.

Morgan Stanley did have written procedures for data security, which included:

  • A Code of Conduct that prohibited employees from accessing confidential information other than what employees needed to perform their job responsibilities.
  • Systems that, if properly implemented, would only allow an employee to gather data for customers the employee supported.
  • Technology controls that should have restricted employees from copying data onto removable storage devices.

Despite these measures, Morgan Stanley failed to ensure these policies and procedures were effective.  The SEC found that Morgan Stanley was in violation of the Safeguards Rule because its policies and procedures were not reasonably designed to meet the objectives of the Safeguards Rule and fined Morgan Stanley $1 million for its violation.  Specifically, Morgan Stanley (i) did not have reasonably designed and operating authorization systems to restrict employee access to only the data for which each employee had a legitimate business need; (ii) did not audit and/or test the effectiveness of such authorization systems; and (iii) did not monitor and analyze employees’ access to and use of the systems.

The key lesson to take away from Morgan Stanley’s example is that if you a SEC-registered broker-dealer, investment advisor or investment company, it is not enough to simply have data security policies in place.  It is of critical importance to conduct auditing and testing to ensure the policies are effective to protect investors’ confidential information.