Server image by Massimo Botturi on unsplash.com

A significant fine this month over a data leak caused by improperly decommissioned technology showcases how costly breaches of this kind can be.

Morgan Stanley announced earlier this month it would pay a $60 million fine relating to a data breach lawsuit filed stemming from a 2019 incident.

The preliminary settlement reached in New York Southern District Court is meant to resolve a class action filed by Morgan Stanley customers over poor information security standards. In part, the plaintiffs said Morgan Stanley improperly transferred older servers containing customer data to an outside vendor. The bank later recovered the servers, according to Reuters. Fifteen million clients were potentially affected by the incident.

Data breaches are often portrayed as a sort of “soft” theft. The clip art for a typical story on the topic might include a picture of an obscured figure typing on a keyboard. Rarely do we portray the huge bins of electronic waste that, once improperly handled, expose customer information to theft.

It’s also rare to have the cost of a data breach so solidly quantified. In a consent order last October, the Office of the Comptroller of the Currency fined the bank for “fail[ing] to take proper precautions to protect customer data when it shut down two data centers for its U.S. wealth-management operations in 2016. The bank did not maintain inventory of the customer data on those systems, and did not properly oversee the contractors it hired to make sure customer data had been wiped from the old equipment, the OCC said in its consent order.”

The settlement and fine show both customers and regulators are taking data handling more seriously. Companies should manage the risk of their physical assets in several ways:

— Ask your IT team or third party provider to map where your customers’ data is housed and keeping this information regularly updated, with a focus on the most sensitive personal data.

— Create an asset inventory to keep track of assets that contain sensitive data and ensure any decommissioning of that hardware is handled properly.

— Conduct periodic risk assessments of hardware, with a focus on how you plan to process out end of life assets.

— Offset some risk of data leakage or exposure with business-appropriate cyber insurance products.

— Create a decommissioning policy that becomes part of your overall IT and data security strategy.

— Make sure data destruction at the end of each piece of data-carrying hardware at the end of its lifecycle is guaranteed. Destruction is key. Some companies believe their data is being wiped when they drop devices off for recycling and that is not always the case. Recycling these devices is important, but it must be done the right way. Make sure your e-waste recycler is NAID certified.

Breaches of hard assets are easier for regulators (and sometimes plaintiffs) to quantify. Companies also get none of even the sliver of grace afforded to firms in other breach scenarios, like those involving an attack by a sophisticated army or a ubiquitous new ransomware scam. If the corporate adage “low hanging fruit” were a regulatory burden, this would be it.

For some additional tips on creating an asset inventory and taking better control of your technology assets, the Cybersecurity and Infrastructure Agency has additional resources for businesses of all sizes at cisa.gov.

---

 

Kate Fazzini is CEO of Flore Albo LLC, an adjunct professor of cybersecurity at Georgetown University, author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.

John Shegerian is co-founder and Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit eridirect.com/insecurity-of-everything-book/ to receive a free copy of John’s new book, The Insecurity of Everything.