International bank Morgan Stanley have been hit with a $60 million fine from the US Treasury Dept. for “engaging in unsafe or unsound practices relating to information security and noncompliance”; this was brought about by failures in their ITAD (IT Asset Disposition) policies and procedures.
The “Office of the Comptroller of the Currency” (OCC) – which, as part of the Treasury Dept. regulates and supervises all national banks, and federally licensed branches of foreign banks, in the United States of America – issued a “consent order” that gave more details on the issues. They found that, in 2016, Morgan Stanley fell short in several areas and failed to:
They then experienced “similar vendor management control deficiencies” in 2019, prompting further action. It seems that data was left on devices post-decommissioning and that they were also unable to account for some of the server hardware after it had been retired. As well as the OCC fine, Morgan Stanley now face a range of class-action lawsuits that have been brought by customers.
We have highlighted several times this year that, with the rise of remote working driven by COVID-19, Hardware Asset Management (HAM) and IT Asset Disposition (ITAD) are more critical than ever before. This case helps highlight some of the elements that must be considered when implementing these areas within the business and shows that simply passing it off to a third-party isn’t the end of it. If engaging with an ITAD provider, you must ensure that you have procedures in place to:
While this multi-million dollar ITAD fine is perhaps an above average penalty, it does highlight the possible risks – financial and reputational – that can accompany less than stellar ITAD management. Consider this as you work with your business to identify priorities for 2021.
ITAD firms weigh in on bank’s $60M data mismanagement fine
OCC Consent order
What you need to know about ITAD
ITAD maturity assessment