Morgan Stanley Employee Pleads Guilty In Data Breach Case

An anonymous reader writes: A former Morgan Stanley financial adviser who was fired in connection with a major breach of client information pleaded guilty to accessing client data and taking it home with him. According to court records Galen Marsh copied names, addresses, account numbers, investment information and other data for approximately 730,000 accounts. "This action, which follows Morgan Stanley's initial investigation and reporting of his misconduct, makes clear that misuse of client account information will not be tolerated," the bank said in a statement.

Happens All The Time

[Kagato]

The only thing that's weird about that is that is wasn't while leaving the company. Typically financial advisors do a data dumb of their clients and holding when they decide to switch to a different firm. The moment the advisor puts in notice a whole team of people work to contact customers to get permission to move so that the assets can be re-papered under the new firm. It's not unusual for a team to meet with an advisor and personally fly the paperwork/data back to the home office in order to speed up the transition.

Re:Happens All The Time

This is exactly right. My first job at 19 was working for brokers like this guy manage their clients and did so for several years. I personally helped the transition of many brokers from competitor firms to ours doing this exact thing, and was also on the other side fighting to keep clients when a financial adviser left the firm for a competitor.

The Catch-22 of the financial adviser world is that the firm, not the broker, owns the data about the client, because they have a fiduciary responsibility to keep and protect clients' personal identifying information as well as their net worth. They also have a fiduciary responsibility to the various government agencies to properly report on their clients' earnings for tax and regulatory purposes. The counter to that is while the firm owns the data, the business is service and it is the FA who has a personal relationship with the client. Very few clients care if they're with Morgan Stanley or JP Morgan or UBS or anyone else, they just care about the guy they call when they need financial advice.

As such, the firms all headhunt each other's top brokers. They offer big incentives (I've seen multi-million dollar bonuses paid directly to the FA) to come over. That FA is worth nothing without his clients. So the FA does not give his two week notice, he simply doesn't show up to work one day and everyone scrambles. To prepare for the transfer, FAs take as much client data secretly home with them, so when they start at the new firm they have as much information about their clients to call them and help them transfer over, set up their forms and transfer paperwork, and know what incentives they need the new firm to offer the client to come over. Back in my day before it was all electronic, brokers would stay late or spend weeks secretly printing out client statements and shuffling them home in their briefcases for days at a time to prepare. This of course is all illegal; the client data is owned by the firm so technically it's a theft of company assets. However every firm allows it to happen because they all do it in the process of recruiting new FAs and clients.

The worst one I saw was a guy had his own personal network of computers between him and his staff to manage his clients on a non-internet connected network, but was separate from the corporate provided computers and network. The corporation allowed it because at the time they didn't know any better. The manager somehow caught wind he was going to leave for another firm and fired him on the spot and hired a guard to not allow him in. The guy came back with a lawyer and the sherriff claiming that they fired him without cause and also refused to give him his personal property (his network of computers), amounting to theft by the firm. THe problem was, his clients' data was on the computers and the data was owned by the company, but the hardware was his personal computers and owned by him and there was a standoff. Never found out what happened after that as we employees were all insulated from the rest of the fiasco.

What happened here was in the process of taking his clients away to a new firm, this guy took his client data electronically, got hacked, and it got posted online. That legally amounts to stealing company assets and reckless use of it. It's interesting especially if he serves prison time, because it'll have a significant effect on how this whole recruiting thing works.