Slashdot Mirror

← Back to Stories (view on slashdot.org)

Morgan Stanley Employee Pleads Guilty In Data Breach Case

Posted by samzenpus on from the was-that-wrong? dept.

An anonymous reader writes: A former Morgan Stanley financial adviser who was fired in connection with a major breach of client information pleaded guilty to accessing client data and taking it home with him. According to court records Galen Marsh copied names, addresses, account numbers, investment information and other data for approximately 730,000 accounts. "This action, which follows Morgan Stanley's initial investigation and reporting of his misconduct, makes clear that misuse of client account information will not be tolerated," the bank said in a statement.

23 of 43 comments (clear)

  1. Happens All The Time by Kagato · · Score: 3, Interesting

    The only thing that's weird about that is that is wasn't while leaving the company. Typically financial advisors do a data dumb of their clients and holding when they decide to switch to a different firm. The moment the advisor puts in notice a whole team of people work to contact customers to get permission to move so that the assets can be re-papered under the new firm. It's not unusual for a team to meet with an advisor and personally fly the paperwork/data back to the home office in order to speed up the transition.

    1. Re:Happens All The Time by Anonymous Coward · · Score: 3, Interesting

      This is exactly right. My first job at 19 was working for brokers like this guy manage their clients and did so for several years. I personally helped the transition of many brokers from competitor firms to ours doing this exact thing, and was also on the other side fighting to keep clients when a financial adviser left the firm for a competitor.

      The Catch-22 of the financial adviser world is that the firm, not the broker, owns the data about the client, because they have a fiduciary responsibility to keep and protect clients' personal identifying information as well as their net worth. They also have a fiduciary responsibility to the various government agencies to properly report on their clients' earnings for tax and regulatory purposes. The counter to that is while the firm owns the data, the business is service and it is the FA who has a personal relationship with the client. Very few clients care if they're with Morgan Stanley or JP Morgan or UBS or anyone else, they just care about the guy they call when they need financial advice.

      As such, the firms all headhunt each other's top brokers. They offer big incentives (I've seen multi-million dollar bonuses paid directly to the FA) to come over. That FA is worth nothing without his clients. So the FA does not give his two week notice, he simply doesn't show up to work one day and everyone scrambles. To prepare for the transfer, FAs take as much client data secretly home with them, so when they start at the new firm they have as much information about their clients to call them and help them transfer over, set up their forms and transfer paperwork, and know what incentives they need the new firm to offer the client to come over. Back in my day before it was all electronic, brokers would stay late or spend weeks secretly printing out client statements and shuffling them home in their briefcases for days at a time to prepare. This of course is all illegal; the client data is owned by the firm so technically it's a theft of company assets. However every firm allows it to happen because they all do it in the process of recruiting new FAs and clients.

      The worst one I saw was a guy had his own personal network of computers between him and his staff to manage his clients on a non-internet connected network, but was separate from the corporate provided computers and network. The corporation allowed it because at the time they didn't know any better. The manager somehow caught wind he was going to leave for another firm and fired him on the spot and hired a guard to not allow him in. The guy came back with a lawyer and the sherriff claiming that they fired him without cause and also refused to give him his personal property (his network of computers), amounting to theft by the firm. THe problem was, his clients' data was on the computers and the data was owned by the company, but the hardware was his personal computers and owned by him and there was a standoff. Never found out what happened after that as we employees were all insulated from the rest of the fiasco.

      What happened here was in the process of taking his clients away to a new firm, this guy took his client data electronically, got hacked, and it got posted online. That legally amounts to stealing company assets and reckless use of it. It's interesting especially if he serves prison time, because it'll have a significant effect on how this whole recruiting thing works.

    2. Re:Happens All The Time by Anonymous Coward · · Score: 1

      Cognitive dissonance. I'm amazed at how we can forbid something when it negatively affects us but also be complicit in it when it serves us. We do it all the time though, e.g. cheating on your spouse with someone who's married. There's another injured party in that transaction that could easily have been 'you'. Lack of compassion? Who knows...

  2. Re:Right... by tnk1 · · Score: 2

    It is standard policy to not bring home customer data or download it. Now, Morgan Stanley might have different rules than places I have worked, but chances are, they are the same. You can only access customer data from the corporate network, and you cannot download it, ever. Just breaking that rule would be enough to get him terminated immediately.

    Criminal charges would then depend on what he did with the data, or if he failed to protect it. If he was the source of the breach, he violated company policy to do the download, and then there was a compromise of data, then any applicable laws would apply to the downloader. He knew the rules, he broke them.

    Now, did his downloading of the files actually cause the breach? No idea.

    People have this idea that it is still MS's fault anyway just because they didn't airgap the information in an Mission Impossible style vault. That's not realistic. They take steps to protect it, but data like that is used for legitimate purposes. Some people have to be able to access it. That is why there is a lot of policy wrapped around what authorized people are allowed to do with the date. He had a choice to break the policy, and if there was criminal liability, he's liable for it.

  3. Re:Right... by Defenestrar · · Score: 1

    Yup. Right after that I think: "I bet this guy's job performance would have tanked if he was the only one who didn't take work home or on travel."

  4. Re:Right... by Penguinisto · · Score: 1

    You know what's funny? Sales-critters stealing client contact info (to start their own businesses, take it with them to a competitor, etc) used to be almost standard operating procedure 20-30+ years ago...

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  5. Edited by jbmartin6 · · Score: 1

    " misuse of client account information by any agency other than Morgan Stanley will not be tolerated"

    FTF Them

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Edited by Anonymous Coward · · Score: 1

      And the NSA.

  6. Re:Right... by tnk1 · · Score: 1

    Still does happen, but now there's the extra risk that the public cares about that data now more than ever. If that sales critter isn't careful he will not be able to prevent himself from being either the target of an actual breach or the fall guy for a breach. The game is now a lot more dangerous if you aren't as smart as you are unscrupulous.

  7. Also makes clear that it will not be noticed... by gweihir · · Score: 4, Insightful

    ... for a long time. Or at all.

    But here is the dirty little secret of all Data Leakage Detection and Prevention software: It does not work except against fully clueless people. It is basically just intimidation but lacks actual teeth. The only way to prevent data leakage is by treating your employees well and respect them. Because employee loyalty is the only thing that helps. I guess these companies have forgotten that little fact and are now paying the price for that.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  8. It was this one guy by penguinoid · · Score: 1

    Since the problem has been taken care of, we see no need to change any of our policies, in particular spending on security. Your life savings are very important to us.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  9. Re:"not tolerated," but they allowed it by Anonymous Coward · · Score: 1

    They do not allow it. It happens anyways. FAs take their client data home when they plan to switch firms for some big recruiting bonus, but it is actually against every firm's policy for FAs to take client data out of the office.

  10. Sounds more like Morgan Stanley screwed up. by gurps_npc · · Score: 4, Informative
    I used to work for PaineWebber, back when there was a PaineWebber. The real question was did he do this for his existing clients or for other broker's clients. If he did it with existing clients, than it is legal, and he did nothing wrong. If he did it with other broker's clients, than it is illegal and he could be in big trouble.

    Basically, high end financial advisors and their employers have a large argument about who the clients "belong to".

    Both the brokers and the employers claim the clients are THEIRS. Which means that when they quit their job, they each try to 'keep the clients'. The employers claim 'we gave you the leads that lead to that client', while the brokers claim "I spent 3 years building a relationship - even letting that client beat me at golf and I HATE golf."

    The Employers do not for example tell the clients were the new broker went to, even if the clients ask. Instead, they often accuse the brokers (as in press legal charges and try for injunctions) and prevent them from talking to the clients after they quit. It's gets so bad that some employers might try to prevent a broker from talking to his own father, because they claim his father is a client of the Employer, not the broker.

    The brokers often copy as much information as possible about their clients, not just phone numbers, but financial statements, etc. You need this information to give the clients real service. You can't tell all your clients with trust accounts about the new financial trust services at your new firm if you don't know which clients have trust accounts.

    If the broker took someone else's clients, than he clearly broke the law. But if he simply copied records of people he had a relationship with - i.e. his own clients - then Morgan Stanley is simply being a douchebag company accusing him of violating privacy when THEY are the one violating the privacy.

    Let's be honest here - the real truth is the CLIENT should be allowed to determine who they want to do business with. If the client wanted to do business with Morgan Stanley, then the broker should not keep their information - but it is reasonable for them to take it with them when they switch jobs as they can't tell the client they are quitting until after they quit and they need that information to attempt to make the sale.

    If the Client wants to keep business with the Broker, than Morgan Stanley should delete all their information after the switch is made.

    --
    excitingthingstodo.blogspot.com
    1. Re:Sounds more like Morgan Stanley screwed up. by KingMotley · · Score: 1

      Both the brokers and the employers claim the clients are THEIRS.

      Pretty sure they both can claim it, but only the broker is correct. The employee has no right to claim it while employed to do such work -- unless the client was a client PRIOR to becoming an employee. If you are paid (hourly, salary, commission, or other) to find new clients, the company "owns" them, not the employee.

      It may be SOP to do otherwise (or claim otherwise), but that doesn't mean it is legal either.

    2. Re:Sounds more like Morgan Stanley screwed up. by gurps_npc · · Score: 1
      You have made 3 basic mistakes.

      1) You are saying the company OWNS the client. NO That is called slavery, which is illegal. Clients are people, people that have not signed contracts. The CLIENTS should decided who they go with and that means the broker should have the right to call up the client and ask them to go with them. The employers try to stop this with abusive contracts with the brokers - but that does not make it "ethical", nor does it always make it legal. Just because a company makes an contract does not make it a legal contract. Companies break the law all the time - and sometimes put that criminal act in their contracts.

      2) The Company's theory that you are accepting - the company owns the clients is at heart false. No one picks a broker based on the Corporation because the companies are all almost identical. They have minor differences based on fees and some small services. The major differences are due to the broker - how much work they will do for you, how intelligent the broker is, etc. If your belief and the company's belief was true, than people would be quiet willing to talk to ANY financial advisor at the company. But that's not what happens with the wealthy. They develop a relationship and only talk to their advisor, not a random one.

      3) A truly successful broker gets almost no clients from the company, they get their clients from networking. The company does not effectively give them the clients, they get the clients using personal relationships. So when an advisor gets a job at say PaineWebber, he calls up his friend from Harvard, gets his business, then 3 months later gets his friend's cousin and father business, etc. etc. Then when they leave PaineWebber and go to work for Merril Lynch, they keep those clients. When they try to quit and go to work for Fidelity, Fidelity tries to keep all the clients - including the ones they took with them from PaineWebber that even YOU admit belong to the person, not the compay

      What you are describing is nothing less than an illegal attempt by a company to steal people's networking. It is illegal and wrong on the part of the COMPANY as much as it is by the broker. Neither side is innocent - but the Company has a lot of power that they abuse while the broker has to try and squeak by. Taking the company side, as you do, is ridiculous. At best, the company is just as in the wrong as the advisor.

      In a truly ethical world, it would be simple - the company and the broker would sit in the same room and call the clients up. They would ask the client who they would go with, and they would both ACCEPT the client's decision, neither taking any financial information that the client does not want them to have.

      --
      excitingthingstodo.blogspot.com
    3. Re:Sounds more like Morgan Stanley screwed up. by KingMotley · · Score: 1

      You've made numerous mistakes, using numerous fallacies:

      1) You are being silly. Note that I put "OWNS" in quotes, because while the word does in fact meet some definitions of the word, I was using it as a shorthand without a very long description with the assumption that the average person should understand it's meaning (poisoning the well fallacy). We are talking about the legality of the situation, not the ethics, so I'll skip that (red herring fallacy, strawman fallacy). And the rest of your argument here is irrelevant (burden of proof fallacy, hasty generalization fallacy, guilt by association fallacy).

      2) The company's theory I am accepting is based on common law. The rest of your statements are irrelevant. You don't like it, oh well, that's not what the law says and sucks to be you.

      3) Also typically irrelevant according to common employment law, except in the case that I originally mentioned that they had a prior existing relationship. The rest of your argument is irrelevant.

      What I am describing is common employment law for people who are paid to do a job (Trade secrets). Client lists are considered trade secrets of the company, and it is quite common to have companies sue ex-employees for such behavior that you describe, and it is often spelled out in employment contracts as well (although this isn't necessary in most cases, it is done so ignorant employees don't claim they were unaware). Most of this isn't even up for debate, ask any lawyer who deals in such matters, even a bad one.

  11. Morgan Stanley Pleads Guilty? by steamraven · · Score: 1

    I read "Morgan Stanley Pleads Guilty " and got hopeful they finally got prosecuted. I guess no such luck....

  12. Re:"not tolerated," but they allowed it by Anonymous Coward · · Score: 1

    Now Hillary essentially took home Top Secret information by hosting it on her private server and none of you fools give a crap.

  13. Re: "not tolerated," but they allowed it by s.petry · · Score: 2

    If you are truly so blinded by partisan bigotry that you take _any_ politician at their word, seek professional help after turning in your voter card.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  14. send slamhounds after him by cats-paw · · Score: 1

    keyed to his DNA.

    Lucky for him they don't exist yet.

    --
    Absolute statements are never true
  15. Re:"not tolerated," but they allowed it by davester666 · · Score: 1

    No, they don't allow others to financially gain from information they own.

    Only MS can profit from doing identity theft on their victims er clients.

    --
    Sleep your way to a whiter smile...date a dentist!
  16. Re:"not tolerated," but they allowed it by alex67500 · · Score: 1

    No, the fact that it was available to him doesn't mean he had the right to take it home. He probably needed to access it to do his day's work. He knew he wasn't allowed to take it home and still did it, so he's getting sued. Sounds reasonable.

    It's a hard pushed analogy, but butchers need knives to do their day's work, that doesn't mean they're allowed to use them to stab their colleagues. They know that, and if they do it, they get prosecuted for it.

  17. Re: "not tolerated," but they allowed it by canesfan · · Score: 1

    Of course your right... It is not as though Hillary has ever lied to the American public. Has Hillary ever been involved in a controversy where it turned out she "massaged" the details (a.k.a lied). So we should just take her abd all Politicians at their word.