The Morgan Stanley Breach Notification: Lessons for Every Electronics Recycling Customer

July 29, 2020

First, I would like to commend Morgan Stanley.

They somehow learned IT assets disposed of four years ago may not have been properly wiped by the vendor they hired to do so at that time. That is not commendable. They should have been more careful.

What is commendable, however, is the fact that upon learning of this potential data breach, Morgan Stanley issued a breach notification to all affected customers. The simple fact is most organizations do not do that.

Most organizations:

• Don’t think about IT assets discarded years ago
• Don’t think about the qualifications of the vendors they used years ago
• Don’t consider missing or improperly handled IT assets worthy of a breach notification

Morgan Stanley did. And in doing so, they did the right thing by their customers, by regulators… and, in the end, for themselves.

While I like to think the company’s decision to issue the notification was because it was the right thing, I realize it is more likely that the decision was largely made from a risk management perspective – they realized the consequences would have been worse if any of those assets turned up later with personal information on them.

Takeaways for Every Organization

• There is risk in past careless IT asset disposal practices. There is no statute of limitations or safe harbor for improperly discarded IT assets. The equipment at Morgan Stanley was discarded four years ago. If an organization didn’t practice due diligence with all service providers over the course of time, the organization is still liable. This not only applies to how electronic equipment was recycled, but copy machines, printers, video recording devices, etc.
• Improper IT asset disposal is a risk carried forward indefinitely. There is no statute of limitation on future data breaches. If a hard drive turns up five or ten years down the road with personal information on it, it is still a data breach plain and simple. Ignoring missing or improperly wiped electronic media today, simply means there are a bunch of time bombs floating around. There is no worse fear for risk managers than known liabilities carried forward indefinitely. Don’t take my word for it. Ask any corporate risk manager. Ask any CPA for that matter.
• Potential improper disposal of IT equipment must be investigated. If equipment with personal information turns up later, the second worst thing an organization can do from a regulatory perspective is admit it did not investigate the potential data breach. Regulations require it.
• If discovered later, not reporting a potential breach will be much more costly than doing the proper notification. The first worst thing an organization can do is not report a data breach. Regulators and law enforcement are much tougher on organizations who do not warn victims they are risk than they are on those who do. Had Morgan Stanley not understood it was much riskier to remain silent than to make the notification, they might not have. I want to give them some credit for doing the right thing, but risk/reward calculation was certainly preeminent in the decision.

Spilt Milk Under the Bridge

I doubt there will be a wholesale retro-investigation of past IT asset disposal sins. While it would be prudent, it is probably not practical.

Going forward, organizations need to do better. They need to be sure 1) they are accounting for IT equipment from the moment it is acquired to the point it is finally disposed, and, 2) elevate the selection criteria, operating criteria, monitoring procedures, and contracts of IT Asset disposal services they use.

The right vendor should be able to guide any company through the host of compliance and risk minimization issues implicated in proper disposition.

If they cannot do that, it’s the wrong vendor.

*****
About the Author:
Bob Johnson is the CEO of i-SIGMA, known for its global service provider certifications NAID AAA Certification (data disposal) and PRISM Privacy+ Certification (information management). He is also the author of Information Disposition, A Practical Guide for the Secure, Compliance Disposal of Records, Media, and IT Assets available on Amazon.