FTC Sends “Message” on Data Security in Closing Letter to Morgan Stanley

POSTED SEPTEMBER 22, 2015

A special to USLAW NETWORK and USLAW DigiKnow

By Karen Painter Randall, Connell Foley LLP, Roseland, New Jersey


Recently, companies have been requesting that the Federal Trade Commission (“FTC”) provide additional guidance on data security. On August 10, 2015, the FTC issued a public closing letter to Morgan Stanley Smith Barney LLC (“Morgan Stanley”) regarding the agency’s investigation into a data breach involving client information, which sheds some light into same.

By way of background in January 2015, a Morgan Stanley employee admitted to inappropriately transferring account information for 350,000 Morgan Stanley clients from the company’s network to a personal website and then to a personal device. Hackers then reportedly accessed some of this information and posted account information, including client names, account numbers, and investment details for 1,200 clients on multiple public websites. Upon learning of this data breach, the FTC initiated an investigation into Morgan Stanley’s data security practices to determine whether the company engaged in unfair or deceptive acts or practices in violation of the Section 5 of the FTC Act by failing to implement reasonable security measures to protect the clients’ account information.

On August 10, 2015, the FTC sent a letter to Morgan Stanley notifying the company that it was closing its investigation because Morgan Stanley had established and implemented comprehensive policies designed to protect against insider theft of personal information. The letter explained that Morgan Stanley had in place a policy limiting employee access to only the personal information for which they had a business need. Morgan Stanley also had processes in place to limit or prevent employees’ from transferring personal information, including monitoring the size and frequency of data transfers by employees, prohibiting employee use of USB and similar devices for transferring information, and blocking employee access to certain high-risk websites and applications. Another factor influencing the agency’s decision to close the investigation was that Morgan Stanley quickly fixed improper configurations that allowed employees to access control for a narrow set of reports once this problem was brought to its attention.

Generally, the FTC will confidentially close privacy and data security investigations, without informing the public as to the existence of the investigation or why it was closed. However, when the FTC chooses to issue a public closing letter, it will often do so to send a specific message or lesson to companies. Here, the Morgan Stanley closing letter offers some guidance to organizations relevant to data security. First, a company must consider not only external risks to the company, but internal risks as well. While much attention is given to the risks of malicious attacks from hackers, many data breaches are the result of human error and system glitches. Second, the FTC has long emphasized that companies should identify and address reasonably foreseeable internal risks that could result in a breach. These risk mitigation efforts will be considered by the FTC when deciding whether to close an investigation.  Lastly, a company must promptly address security issues when they are discovered.

Designed & Developed by Peak Seven