(Reuters) – A Morgan Stanley unit has agreed to pay $35 million to settle charges by the U.S. Securities and Exchange Commission that it repeatedly failed to protect the personal information of millions of clients, the regulator said on Tuesday.
The SEC said that over five years, Morgan Stanley Smith Barney failed to protect the personally identifiable information of 15 million clients. The company agreed to pay the fine without admitting or denying the findings.
Dating back to 2015, the company failed to properly dispose of devices containing sensitive information, including repeatedly hiring a moving and storage company without the appropriate expertise to dismantle thousands of hard drives and servers, the SEC said. These devices were sold to third parties and ultimately auctioned online with the personal information intact and unencrypted. Only some of these devices were recovered, according to the regulator.
The SEC also said the company lost track of 42 servers containing personal information when it underwent a hardware upgrade program and failed to activate existing encryption software on those devices years in advance.
In a statement, a Morgan Stanley spokesperson said the firm was satisfied to resolve the issue and had previously notified affected clients of the issues. The company said it has not detected any unauthorized access to or misuse of personal information.