What Do Sunscreen and Good Data Security Practices Have in Common?

Don Miller

This is the latest in a series of data security case studies offered by bTrade in support of National Cyber Security Awareness Month (NCSAM).  As mentioned in our previous case study, bTrade will examine documents from public cases/proceedings initiated by regulators alleging bad data security practices, with the hope that lessons can be learned from data security mistakes identified in the documents.  The next case we will examine involves a company in the financial services industry, Morgan Stanley Smith Barney, and through it MFT Nation readers will learn the answer to the question posed in the title–i.e., they both help protect you from harmful exposure.

Morgan Stanley Exposed its Clients’ Confidential Data

The Federal Trade Commission (FTC) investigated a situation involving the misappropriation of confidential information relating to the company’s wealth management clients.  It is believed that a Morgan Stanley employee transferred the client data from Morgan Stanley’s network to a personal website accessed at work, and then onto personal devices.  The stolen data later showed up on other sites, which obviously exposed Morgan Stanley’s clients to potential harm.

Morgan Stanley Got Lucky.  Or did It?

After completing its investigation, the FTC issued a closing letter in which it advised that no further action would be taken at this time.  This surprised me.  The theft of client data usually results in some type of punishment.  So why did Morgan Stanley avoid punishment?  Well, its good fortune didn’t come about by accident.

The FTC found it significant that Morgan Stanley had established and implemented “comprehensive policies” designed to protect against employee theft of personal information.  For example, the company established and implemented a policy allowing employees to access only the personal data for which they had a business need, monitored the size and frequency of data transfers by employees, prohibited employee use of USB or other devices to transfer data, and blocked employee access to certain high-risk websites and related applications.

The FTC also determined that the Morgan Stanley employee was only able to access the client data because of a “configuration” error in the “access controls applicable to a narrow set of reports.”  And once the configuration error was discovered, Morgan Stanley acted promptly to correct it.

Lessons Learned

What can MFT Nation readers learn from the Morgan Stanley investigation?  These are the lessons, as laid out by the FTC:

An ounce of prevention is worth a pound of breach.  While you’re safeguarding your network from outside threats, think through any places where your system could be porous internally.  Consider how confidential information moves through your company and then retrace its steps from the perspective of a rogue staffer.  Shore up any weak spots in your defenses.

Limit access to confidential material to employees with a legitimate business reason.  At a concert, backstage passes are reserved for a select few.  Implement a similar policy when it comes to sensitive information in your company’s possession.  Not every staff member needs instant access to every piece of confidential data.

Data security is an ongoing process.  Savvy companies adjust their practices in light of current risks and changing technologies.  As employees increasingly use personal sites and apps, deploy appropriate controls to address the potential risks of broad access on work devices.

Contact bTrade for Assistance

Because data security is a dynamic process, organizations must adjust their data security practices as risks, technologies, and circumstances change.  We here at bTrade can help you with this process.  To learn more, please send a confidential email to our other data security experts at info@btrade.com.

bTrade Case Study