10 DECEMBER 2020
What happened at Morgan Stanley is an Information Security Officer’s worst nightmare. A seemingly small oversight led to a data breach that has cost the company $60 million in fines, resulted in at least two class action lawsuits, and spawned widespread media coverage about an embarrassing mistake.
In case you missed the news, in July Morgan Stanley informed customers that their data had been compromised in breaches that occurred in 2016 and 2019. The firm had closed two data centers and hired a vendor to decommission computer equipment. The company later learned that several servers, which had not been properly wiped and contained unencrypted customer data, were missing.
At first glance, it may seem like Morgan Stanley made a small error that came back to bite them in a big way. In reality, Morgan Stanley’s mistake went much deeper than simply hiring the wrong vendor to dispose of computer equipment. Often business leaders leave it to IT to manage the process for what to do with data and equipment. But vacating a work location, whether it’s due to a move, a reorganization, or exiting a line of business, requires a plan for managing data and equipment in that location.
In this article, we’ll uncover the series of failures that led to the Morgan Stanley data breaches. Then we will explain how firms can protect themselves from a similar fate by implementing an information governance program.
The data breaches were the result of a series of missteps related to poor governance of data and information. Here’s where Morgan Stanley went wrong.
By improperly controlling computers and servers that were no longer needed, Morgan Stanley disregarded information security compliance and failed to protect customer data.
Whenever a computer is decommissioned (or recommissioned for a different use), you need a defined process for properly managing and scrubbing the data on that machine, even before physical disposal.
It’s important to take action right away when offboarding an employee, closing a work location, or anytime a computer is taken out of use. The process must include the following:
Vacating a work location, whether it’s due to a move, a reorganization, or exiting a line of business, requires a plan for managing data and equipment in that location.
Often business leaders leave it to IT to manage the process for what to do with data and equipment. That’s especially true when there’s no ownership of the data that’s left behind. Whatever scenario a company is dealing with, there may be hundreds of devices (or more) to deal with, along with many competing priorities that require a clear plan in place.
By failing to monitor the actions of the vendor that disposed of their computers, Morgan Stanley created an information security hole.
Companies often turn to outside vendors to handle this work. Management of third-party vendors is one of the biggest risks companies have, and it’s one that tends to get them in trouble, as happened with Morgan Stanley. Companies not only outsource the tasks, but they also outsource the controls. It’s critically important to understand that even when you outsource tasks, you are still responsible for the outcome. Regulators can and will penalize you for what outsourced vendors do (or don’t do).
How closely should you monitor the actions of a third-party vendor and their controls? If you have verified that a vendor has a good process and the proper checks and balances in place, you might feel safe with only an annual review. However, that’s not enough, because so much can go wrong in that time: a box of laptops can fall off a truck during transport, or a couple of servers can fail to get scrubbed. And you won’t know until the worst has happened. At a minimum, quarterly reviews are recommended for ongoing contracts. For shorter term projects, you can embed controls into regular project meetings.
Morgan Stanley failed to create and follow an operational plan for managing the lifecycle of information.
If Morgan Stanley had policies in place to support the governance of data and information throughout its lifecycle (including controls and monitoring to assure that the organization was in compliance with its information governance policies), closing the two data centers would have flagged a review of the information on the servers in those centers. And the company would have had a plan in place to move data that was still needed or required to be retained, with a process to properly dispose of end-of-life data.
In the case of third-party vendor management, your company can do better by creating appropriate policies and procedures around the areas that open you up to risk, operationalizing those processes, and implementing proper controls to ensure they are followed. For example:
It might seem like enough to “oversee” the process when you’ve outsourced work to what you believe is a reputable company. The reality is, avoiding a costly failure requires more: proper due diligence, vendor risk profiling, selection and onboarding, ongoing management, and monitoring.
Start with a simple checklist and a documented process and make sure it gets communicated throughout the organization (not just documented in a contract).
If you wish to have a further discussion on this topic or about information governance in general, please feel free to reach out to me at email@example.com or visit us at https://www.bernsteindata.com.