What happened at Morgan Stanley is an Information Security Officer’s worst nightmare. A seemingly small oversight led to a data breach that has cost the company $60 million in fines, resulted in at least two class action lawsuits, and spawned widespread media coverage about an embarrassing mistake.
In case you missed the news, in July Morgan Stanley informed customers that their data had been compromised in breaches that occurred in 2016 and 2019. The firm had closed two data centers and hired a vendor to decommission computer equipment. The company later learned that several servers, which had not been properly wiped and contained unencrypted customer data, were missing.
At first glance, it may seem like Morgan Stanley made a small error that came back to bite them in a big way. In reality, Morgan Stanley’s mistake went much deeper than simply hiring the wrong vendor to dispose of computer equipment. Often business leaders leave it to IT to manage the process for what to do with data and equipment. But vacating a work location, whether it’s due to a move, a reorganization, or exiting a line of business, requires a plan for managing data and equipment in that location.
In this article, we’ll uncover the series of failures that led to the Morgan Stanley data breaches. Then we will explain how firms can protect themselves from a similar fate by implementing an information governance program.
What mistakes led to the Morgan Stanley data breaches?
The data breaches were the result of a series of missteps related to poor governance of data and information. Here’s where Morgan Stanley went wrong.
1. Failure to scrub data from computers no longer in use
By improperly controlling computers and servers that were no longer needed, Morgan Stanley disregarded information security compliance and failed to protect customer data.
Whenever a computer is decommissioned (or recommissioned for a different use), you need a defined process for properly managing and scrubbing the data on that machine, even before physical disposal.
It’s important to take action right away when offboarding an employee, closing a work location, or anytime a computer is taken out of use. The process must include the following:
- Secure the computer. If you leave a computer unattended, you risk an unauthorized person accessing the machine and the data on it. That could lead to a breach that exposes PII or other sensitive information. This seems obvious, but we’ve seen offices with closets piled to the ceiling with abandoned computers! Secure the machine until you can properly move the data and dispose of it.
- Check with appropriate company stakeholders to see if the computer contains data that’s needed. For example, a litigation or regulatory hold might require the information to be retained. Or, a business unit manager may need the data for ongoing work. If so, you’ll need to retrieve the required information and safely transfer it to the new owner.
- Wipe the data and strip the computer clean.
Vacating a work location, whether it’s due to a move, a reorganization, or exiting a line of business, requires a plan for managing data and equipment in that location.
Often business leaders leave it to IT to manage the process for what to do with data and equipment. That’s especially true when there’s no ownership of the data that’s left behind. Whatever scenario a company is dealing with, there may be hundreds of devices (or more) to deal with, along with many competing priorities that require a clear plan in place.
2. Lack of controls to monitor third-party vendors
By failing to monitor the actions of the vendor that disposed of their computers, Morgan Stanley created an information security hole.
Companies often turn to outside vendors to handle this work. Management of third-party vendors is one of the biggest risks companies have, and it’s one that tends to get them in trouble, as happened with Morgan Stanley. Companies not only outsource the tasks, but they also outsource the controls. It’s critically important to understand that even when you outsource tasks, you are still responsible for the outcome. Regulators can and will penalize you for what outsourced vendors do (or don’t do).
How closely should you monitor the actions of a third-party vendor and their controls? If you have verified that a vendor has a good process and the proper checks and balances in place, you might feel safe with only an annual review. However, that’s not enough, because so much can go wrong in that time: a box of laptops can fall off a truck during transport, or a couple of servers can fail to get scrubbed. And you won’t know until the worst has happened. At a minimum, quarterly reviews are recommended for ongoing contracts. For shorter term projects, you can embed controls into regular project meetings.
3. Failure to manage the information lifecycle
Morgan Stanley failed to create and follow an operational plan for managing the lifecycle of information.
If Morgan Stanley had policies in place to support the governance of data and information throughout its lifecycle (including controls and monitoring to assure that the organization was in compliance with its information governance policies), closing the two data centers would have flagged a review of the information on the servers in those centers. And the company would have had a plan in place to move data that was still needed or required to be retained, with a process to properly dispose of end-of-life data.
Data breach prevention: how you can do better
In the case of third-party vendor management, your company can do better by creating appropriate policies and procedures around the areas that open you up to risk, operationalizing those processes, and implementing proper controls to ensure they are followed. For example:
- Contractual language for the proper retention, storage, and maintenance of data can provide guidance and save time for third-party vendors who have been put in charge of managing company data, particularly in the event of a major event such as a data center closure.
- A Records Management checklist can provide guidance for employees and external parties when determining the actions to take. Be sure to include the following:
- Who is responsible for the management of data within your company. In most cases, several groups have important roles: Technology manages the lifecycle of equipment; Businesses own the data and decide what must be held for business reasons; and Legal is responsible for the legal and regulatory requirements on the retention and disposal of data.
- Who to go to with questions. Companies should not assume that third-party vendors know who to turn to for answers to their questions without clear direction.
- A clear and complete scope of work. In Morgan Stanley’s case, their job was to decommission equipment, but that failed to include the need to recycle/scrub data from laptops and to determine if any data needed to be retained.
It might seem like enough to “oversee” the process when you’ve outsourced work to what you believe is a reputable company. The reality is, avoiding a costly failure requires more: proper due diligence, vendor risk profiling, selection and onboarding, ongoing management, and monitoring.
Start with a simple checklist and a documented process and make sure it gets communicated throughout the organization (not just documented in a contract).
If you wish to have a further discussion on this topic or about information governance in general, please feel free to reach out to me at firstname.lastname@example.org or visit us at https://bernsteindata.com.