SEC Fines Morgan Stanley $35 Million for Alleged Failure to Protect Customer Data
Time 1 Minute Read
Categories: Financial Privacy, Information Security

On September 20, 2022, the U.S. Securities and Exchange Commission announced that Morgan Stanley Smith Barney agreed to pay a $35 million fine for the firm’s alleged failure to adequately protect the personal information of approximately 15 million customers. Morgan Stanley settled the SEC’s claims without agreeing to or denying the agency’s findings. 

The SEC alleged that between 2015 and 2017, Morgan Stanley failed to properly dispose of devices containing customer personal information. According to the SEC, Morgan Stanley disposed of thousands of hard drives and servers via a moving and storage company with no prior experience in data destruction. The moving company later sold decommissioned Morgan Stanley hardware devices containing unencrypted customer personal information to a third party, the majority of which were unable to be recovered.

In addition, the SEC alleged that Morgan Stanley failed to account for 42 servers the firm had replaced during an office hardware upgrade program. The servers, which contained sensitive customer information , had been equipped with encryption software, but the firm allegedly failed to activate the software.

Tags: Encryption, Penalty, Personal Information, Securities and Exchange Commission
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 3 Minute Read
Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
UK ICO Publishes Guidance on Recognized Legitimate Interest Basis

On March 23, 2026, the UK Information Commissioner's Office released new guidance clarifying the use of the new recognized legitimate interest lawful basis for processing personal information under UK data protection law.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
CalPrivacy Reaches Settlement with Ford Motor Company Over CCPA Opt-Out Right Violations

On March 5, 2026, the California Privacy Protection Agency announced that the agency had reached a settlement with Ford Motor Company resolving an enforcement action against the company that alleged noncompliance with the California Consumer Privacy Act’s opt-out of sale/sharing rights.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
UK ICO Fines Reddit £14.47 Million for Failing to Protect Children’s Privacy

On February 24, 2026, the UK ICO announced that it had fined Reddit, Inc. £14.47 million following an investigation into the company’s handling of children’s personal information.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page