The Weakest Link
It’s often noted that employees, left untrained or unsupervised, can become the weakest link for an organization when it comes to its data security practices. Few incidents offer such a high profile example of this as last year’s breach at Morgan Stanley, in which a former broker in the firm’s wealth management group, Galen Marsh, was fired for being just that weak link. If you recall, over a period of three years Marsh had transferred 730,000 client accounts to his own personal server. This negligence was rewarded by a hack that stole some of this confidential data and posted it online, which led to $600,000 in restitution along with a criminal conviction of three years’ probation for Marsh.
At the time, however, the Federal Trade Commission decided to show the firm leniency, declining to take action since, as they said, responsibility lay in a glitch in the data security controls, and not because Morgan Stanley did not take all reasonable and appropriate measures to protect the information.
Enter now a different federal agency, the Securities and Exchange Commission, and blame shifting was not to be accepted. Instead, the SEC concluded that Morgan Stanley indeed failed to secure the data, to adhere to proper policies and practices designed for such a purpose. Specifically, they found that there were two internal web portals that gave employees free reign to access this data, which facilitated Marsh’s actions.
“Given the dangers and impact of cyberbreaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” said the SEC in a release. Looks like Morgan Stanley won’t get off so easy this time. Wait, the penalty is $1 million? My mistake, they can blow their nose with that.
Even so. My point is, while I don’t pretend to know the internal politics of these agencies, the reversal of position from the FTC to SEC would seem to show that they are cracking down more on those who take a lax approach to cyber security, as awareness of the severity of data breaches increases. Don’t let your employees be the weak link in your data breach chain; otherwise, whether through mistake or malice, you’ll end up bogged down in your own Marshes.