Morgan Stanley Employee Pleads Guilty In Data Breach Case

An anonymous reader writes: A former Morgan Stanley financial adviser who was fired in connection with a major breach of client information pleaded guilty to accessing client data and taking it home with him. According to court records Galen Marsh copied names, addresses, account numbers, investment information and other data for approximately 730,000 accounts. "This action, which follows Morgan Stanley's initial investigation and reporting of his misconduct, makes clear that misuse of client account information will not be tolerated," the bank said in a statement.

Happens All The Time

[Kagato]

The only thing that's weird about that is that is wasn't while leaving the company. Typically financial advisors do a data dumb of their clients and holding when they decide to switch to a different firm. The moment the advisor puts in notice a whole team of people work to contact customers to get permission to move so that the assets can be re-papered under the new firm. It's not unusual for a team to meet with an advisor and personally fly the paperwork/data back to the home office in order to speed up the transition.

Re:Happens All The Time

This is exactly right. My first job at 19 was working for brokers like this guy manage their clients and did so for several years. I personally helped the transition of many brokers from competitor firms to ours doing this exact thing, and was also on the other side fighting to keep clients when a financial adviser left the firm for a competitor.

The Catch-22 of the financial adviser world is that the firm, not the broker, owns the data about the client, because they have a fiduciary responsibility to keep and protect clients' personal identifying information as well as their net worth. They also have a fiduciary responsibility to the various government agencies to properly report on their clients' earnings for tax and regulatory purposes. The counter to that is while the firm owns the data, the business is service and it is the FA who has a personal relationship with the client. Very few clients care if they're with Morgan Stanley or JP Morgan or UBS or anyone else, they just care about the guy they call when they need financial advice.

As such, the firms all headhunt each other's top brokers. They offer big incentives (I've seen multi-million dollar bonuses paid directly to the FA) to come over. That FA is worth nothing without his clients. So the FA does not give his two week notice, he simply doesn't show up to work one day and everyone scrambles. To prepare for the transfer, FAs take as much client data secretly home with them, so when they start at the new firm they have as much information about their clients to call them and help them transfer over, set up their forms and transfer paperwork, and know what incentives they need the new firm to offer the client to come over. Back in my day before it was all electronic, brokers would stay late or spend weeks secretly printing out client statements and shuffling them home in their briefcases for days at a time to prepare. This of course is all illegal; the client data is owned by the firm so technically it's a theft of company assets. However every firm allows it to happen because they all do it in the process of recruiting new FAs and clients.

The worst one I saw was a guy had his own personal network of computers between him and his staff to manage his clients on a non-internet connected network, but was separate from the corporate provided computers and network. The corporation allowed it because at the time they didn't know any better. The manager somehow caught wind he was going to leave for another firm and fired him on the spot and hired a guard to not allow him in. The guy came back with a lawyer and the sherriff claiming that they fired him without cause and also refused to give him his personal property (his network of computers), amounting to theft by the firm. THe problem was, his clients' data was on the computers and the data was owned by the company, but the hardware was his personal computers and owned by him and there was a standoff. Never found out what happened after that as we employees were all insulated from the rest of the fiasco.

What happened here was in the process of taking his clients away to a new firm, this guy took his client data electronically, got hacked, and it got posted online. That legally amounts to stealing company assets and reckless use of it. It's interesting especially if he serves prison time, because it'll have a significant effect on how this whole recruiting thing works.

Re:Right...

[tnk1]

It is standard policy to not bring home customer data or download it. Now, Morgan Stanley might have different rules than places I have worked, but chances are, they are the same. You can only access customer data from the corporate network, and you cannot download it, ever. Just breaking that rule would be enough to get him terminated immediately.

Criminal charges would then depend on what he did with the data, or if he failed to protect it. If he was the source of the breach, he violated company policy to do the download, and then there was a compromise of data, then any applicable laws would apply to the downloader. He knew the rules, he broke them.

Now, did his downloading of the files actually cause the breach? No idea.

People have this idea that it is still MS's fault anyway just because they didn't airgap the information in an Mission Impossible style vault. That's not realistic. They take steps to protect it, but data like that is used for legitimate purposes. Some people have to be able to access it. That is why there is a lot of policy wrapped around what authorized people are allowed to do with the date. He had a choice to break the policy, and if there was criminal liability, he's liable for it.

Also makes clear that it will not be noticed...

[gweihir]

... for a long time. Or at all.

But here is the dirty little secret of all Data Leakage Detection and Prevention software: It does not work except against fully clueless people. It is basically just intimidation but lacks actual teeth. The only way to prevent data leakage is by treating your employees well and respect them. Because employee loyalty is the only thing that helps. I guess these companies have forgotten that little fact and are now paying the price for that.

Sounds more like Morgan Stanley screwed up.

[gurps_npc]

I used to work for PaineWebber, back when there was a PaineWebber. The real question was did he do this for his existing clients or for other broker's clients. If he did it with existing clients, than it is legal, and he did nothing wrong. If he did it with other broker's clients, than it is illegal and he could be in big trouble.

Basically, high end financial advisors and their employers have a large argument about who the clients "belong to".

Both the brokers and the employers claim the clients are THEIRS. Which means that when they quit their job, they each try to 'keep the clients'. The employers claim 'we gave you the leads that lead to that client', while the brokers claim "I spent 3 years building a relationship - even letting that client beat me at golf and I HATE golf."

The Employers do not for example tell the clients were the new broker went to, even if the clients ask. Instead, they often accuse the brokers (as in press legal charges and try for injunctions) and prevent them from talking to the clients after they quit. It's gets so bad that some employers might try to prevent a broker from talking to his own father, because they claim his father is a client of the Employer, not the broker.

The brokers often copy as much information as possible about their clients, not just phone numbers, but financial statements, etc. You need this information to give the clients real service. You can't tell all your clients with trust accounts about the new financial trust services at your new firm if you don't know which clients have trust accounts.

If the broker took someone else's clients, than he clearly broke the law. But if he simply copied records of people he had a relationship with - i.e. his own clients - then Morgan Stanley is simply being a douchebag company accusing him of violating privacy when THEY are the one violating the privacy.

Let's be honest here - the real truth is the CLIENT should be allowed to determine who they want to do business with. If the client wanted to do business with Morgan Stanley, then the broker should not keep their information - but it is reasonable for them to take it with them when they switch jobs as they can't tell the client they are quitting until after they quit and they need that information to attempt to make the sale.

If the Client wants to keep business with the Broker, than Morgan Stanley should delete all their information after the switch is made.

Re: "not tolerated," but they allowed it

[s.petry]

If you are truly so blinded by partisan bigotry that you take _any_ politician at their word, seek professional help after turning in your voter card.