Last month, the Securities and Exchange Commission fined Morgan Stanley under the Safeguards Rule of the Gramm-Leach-Bliley Act for failing to adequately protect customer records. Although the SEC has brought several privacy and cybersecurity enforcement actions — SEC Chair Mary Jo White recently warned that “cyber security is the biggest risk facing the financial system” — Morgan Stanley’s $1 million settlement is nonetheless eye-catching as the largest to date.

The settlement reveals the SEC’s strict view of what constitutes “reasonable” data security. Failing to thwart just one rogue employee, despite having comprehensive security policies and controls in place, may lead to enforcement if the firm has not adequately tested and audited those controls. What’s more, the SEC may find the violation to be “willful,” allowing it to impose monetary fines.

Allegations

Morgan Stanley’s troubles began in late 2014 when it discovered customer data from 1,200 accounts, including names, addresses, phone numbers, account numbers, account balances and securities holdings, was available for sale online. After an internal probe, Morgan Stanley identified the source of the breach as employee Galen Marsh, who had uploaded the account information of more than 730,000 clients to his personal computer between June 2011 and December 2014. These records allegedly were stolen from Marsh’s computer and posted online by third-party hackers. In December 2015, Marsh was sentenced to three years of probation and ordered to pay $600,000 in restitution. 

Marsh allegedly gained access to the client account information by exploiting weaknesses in two of Morgan Stanley’s portal applications. The firm maintained hundreds of these applications on its intranet to run reports and retrieve data from underlying client databases. To limit employee access to the databases, the firm put in place written policies, codes of conduct, and “authorization modules” that restricted access only to authorized client data. Employees were prohibited, by policies and technical systems, from copying data onto storage devices and accessing high-risk websites.

There was, however, a glitch in the access controls. In 2011, Marsh allegedly discovered that on one portal, while running a particular kind of report, he could access client data on all Morgan Stanley clients. Using branch ID numbers other than his own (numbers that were widely known throughout the firm) and by inputting fake financial analyst ID numbers, Marsh allegedly ran more than 40,000 unauthorized searches on the portal. In 2014, he discovered a glitch in a second portal and allegedly conducted an additional 1,900 unauthorized searches. To evade the controls on copying data, Marsh set up a website that allegedly let him upload the data directly to his personal server.

The FTC declined to sanction Morgan Stanley

The Morgan Stanley settlement with the SEC is notable because, by some accounts, Morgan Stanley did everything right. It detected the online offer for sale of its client data within days, acted quickly to trace the source of the breach and punish the responsible employee, publicly announced the details of the breach and contacted law enforcement authorities, remediated the breach for affected clients, and engaged outside counsel and independent consultants to investigate the incident.

The Federal Trade Commission also investigated the matter under Section 5 of the FTC Act, which prohibits “unfair or deceptive trade practices,” and declined to bring an enforcement action. The FTC found that Morgan Stanley had “established and implemented comprehensive policies designed to protect against insider theft of personal information.” These included limiting employee access only to the personal data they needed, monitoring employee data transfers, prohibiting the use of USB keys or other storage devices, and blocking access to websites and applications that were considered high risk. The FTC blamed the breach on the improper configuration of “access controls applicable to a narrow set of reports.”

The FTC’s decision not to pursue Morgan Stanley under a theory of unfairness or deception shouldn’t come as a surprise. For years, the Commission has encouraged organizations to implement data security policies similar to those that Morgan Stanley had in place. The IAPP’s comprehensive study of FTC enforcement actions indicates employers are more likely to avoid FTC enforcement if they control and monitor an employee’s access to personal information based on the employee’s role and limit the copying of such data. Although Galen Marsh ostensibly exploited a weakness in Morgan Stanley’s controls, the firm’s policies likely were not “unfair” based on past FTC practice.

For the SEC, however, these security measures were not enough. GLBA’s Safeguards Rule, as implemented by the SEC, requires broker-dealers and registered investment advisers to adopt written policies and procedures reasonably designed to insure the security and confidentiality of customer records, as well as to protect against anticipated threats and unauthorized access that could result in substantial harm or inconvenience. The SEC found that Morgan Stanley failed to comply because its technical systems did not sufficiently restrict employee access, and it failed to audit its systems to ensure their effectiveness and to analyze employee access patterns.

Indeed, in the 10 years from when Morgan Stanley put in place its authorization modules, it allegedly never audited or tested the systems. Morgan Stanley also did not monitor user activity on the portals. According to the SEC, “auditing or testing would likely have revealed the deficiencies in these modules.” Thus, it was not enough merely to have in place policies and technical systems that prevent access — those systems must be monitored and tested to make sure they are working properly.

It is noteworthy, too, that the FTC’s implementation of GLBA makes the duty to test and monitor more explicit. Under the FTC’s Safeguards Rule, organizations must “[d]esign and implement information safeguards to control the risks [identified] through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.” The FTC could not enforce this rule against Morgan Stanley, however, because under GLBA the FTC lacks jurisdiction over financial institutions that fall under SEC authority.

“Willful” is broadly interpreted

Not only did the SEC find Morgan Stanley’s policies unreasonable, it also found the violation to be “willful,” which exposed the firm to monetary fines under Sections 15(b) and 21C of the Securities Exchange Act of 1934. In this case, relying on the D.C. Circuit’s interpretation, the SEC concluded that “a willful violation of the securities laws means merely that the person charged with the duty knows what he is doing. There is no requirement that the actor also be aware that he is violating the Rules or Acts.”

This definition accords with the Supreme Court’s interpretation, under a different statute, that “‘willfully’ is a ‘word of many meanings whose construction is often dependent on the context in which it appears.’” The SEC’s finding that Morgan Stanley acted willfully nonetheless extends the boundaries even of this permissive definition. While the SEC alleged that Galen Marsh extracted data over a substantial period of time, and that Morgan Stanley did not adequately test and monitor compliance, it cannot be said, from these facts, that the firm truly knew that its systems were vulnerable. Nor did the SEC allege that Morgan Stanley was deliberately indifferent to the risk. Rather, the SEC appears to be sending a message that, if an organization doesn’t test its systems regularly, it may be held to “know what [it] is doing.” That is, not testing whether one’s system is vulnerable may be the same as knowing one’s system is vulnerable.

The constant onslaught of data breaches makes clear that every system is at risk of a breach, from internal and external actors alike. Firms holding extremely sensitive data, like financial account information, should view their systems as under constant attack. Failure to assume a persistently defensive and inquisitive posture could now expose a firm to penalties and fines for willfully unreasonable security. With the SEC increasingly active in enforcement, regulated firms may face greater scrutiny over their data security practices.