Every entity should have an information technology asset disposal (ITAD) program as part of its information security process and procedure.
Indeed, every time an IT asset is purchased, the eventual disposal of that asset should already be defined within an ITAD. When one doesn’t exist, data becomes exposed, compromises occur, and in many cases, fines are levied.
Such was the case with Morgan Stanley Smith Barney (MSSB), which continues to feel the repercussions of their ITAD’s failure over the past several years, which has now resulted in US$155 million in fines and penalties.
On September 20, 2022, the Securities and Exchange Commission (SEC) reached a settlement agreement in which MSSB paid a $35 million penalty for the improper disposal of devices containing MSSB customer persona identifying information (PII).
In October 2020, a consent order was issued by the Office of the Comptroller of Currency in which MSSB agreed to pay a penalty of $60 million. This was followed in January 2022 with the settlement of a class-action lawsuit in which MSSB agreed to pay an equal amount to victims of the ITAD failure and the resultant exposure of data.
Consequences of a deficient ITAD program
Within the SEC/MSSB settlement document, it is clear that MSSB had an ITAD program in place, yet the program was deficient, inasmuch as it was “not reasonably designed” and “failed to ensure that a qualified vendor was used for data decommissioning.”
In one of the documented instances, MSSB did the equivalent of ordering off the menu at a restaurant – they had a moving company, Triple Crown, whose skillset MSSB had identified in their own risk assessment dated 2013 as “local trucking, storage, and long-distance moving.”
In 2021 court filing, MSSB passed the buck and described a daisy chain of contractors and subcontractors who caused the data exposure. MSSB blamed Triple Crown for its failure to remove, wipe, and recycle the devices securely.
Despite an agreement that Triple Crown was to have obtained MSSB’s consent prior to engaging a subcontractor, the bank asserted that Triple Crown sold the devices to AnythingIT, telling MSSB that the devices had been destroyed. AnythingIT also failed to destroy the devices and continued the daisy chain of reselling them to KruseCom.
When asset disposal becomes asset deception
Discussing the MSSB ITAD failure, Kyle Marks, ITAD chain of custody expert and CEO of Retire-IT observed that “how Morgan Stanley handled ITAD is not unusual. Getting caught is. ITAD has a problem with incentives. Everybody has an incentive to hide problems in IT asset disposition. ITAD is the last step in the very long journey of the IT asset lifecycle.”
Marks emphasised the importance of a solid ITAD program as part of the procurement and life-journey of a device: “Inventory discrepancies begin the day new hardware is deployed. Discrepancies compound during each stage,” he said.
“Instead of tracking assets and reporting losses when they happen, organisations wait until assets are retired. Too often IT asset management uses ITAD to sweep the problems under the rug. Electronic recyclers are willing accomplices – vendors are happy to get the old hardware. They have no incentive to speak up. Without adequate controls, ITAD is ‘IT Asset Deception.’"
The SEC’s Gurbir S. Grewal, director of the SEC’s Enforcement Division, commented in a public statement: “MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.
"If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”
The takeaway for CISOs
It is imperative that IT security leaders remember that an ITAD program is data security 101. It is also important to follow that program. It is a must-have, not a nice-to-have. This is where it is clear MSSB failed, lacking adequate checks and balances to verify that what they thought was going to happen in the disposal of IT equipment, happened as designed.
As with most debacles, the cleanup costs more than competently instituting the program In MSSB’s case they not only have had years of legal expenses, but they have also paid $155 million in fines.
They could have benefited mightily from the Russian proverb: “Trust, but verify.”