News and Announcements
  • EVENTS

    It’s no secret – USLAW can host a great event. Throughout the year, we have a full… Continue Reading

  • USLAW NETWORK Foundation announces Foundation Partners program

    The USLAW NETWORK Foundation, the philanthropic division of USLAW NETWORK, is excited to announce its first group… Continue Reading

For Law Firms
  • USLAW for Law Firms

    USLAW was founded in 2001 and has focused on delivering exceptional client service, trusted relationships and friendships… Continue Reading

For Clients and In-House Legal Decision Makers
  • USLAW for Clients and Legal Decision-Makers

    USLAW NETWORK provides legal decision-makers with access to attorneys who are highly knowledgeable and skilled in jurisdictions… Continue Reading

For Corporate Partners
  • USLAW for Corporate Partners

    USLAW NETWORK is supported by our family of corporate partners, each of whom provides a high-level expertise… Continue Reading

For Attorneys
  • USLAW for Attorneys

    USLAW NETWORK is a terrific business development, networking, and professional development organization for lawyers across a spectrum… Continue Reading

Featured
  • Construction Law

    The members of the USLAW Construction Law Group represent owners, developers, general contractors, subcontractors in all trade… Continue Reading

  • Energy and Environmental Law

    The USLAW NETWORK Energy and Environmental Law Practice Group includes attorneys from across the NETWORK who are… Continue Reading

Featured Resources
  • USLAW releases Spring 2024 issue of USLAW Magazine

    WHAT YOU'LL FIND IN THIS ISSUE In this issue of USLAW Magazine, we feature articles that delve… Continue Reading

  • State Judicial Profiles by County

    State Judicial Profiles by County Jurisdictional awareness of the court and juries on a county-by-county basis is… Continue Reading

USLAW Foundation News
  • Commitment to Diversity

    From the beginning of our organization, USLAW NETWORK has championed the cause of racial equality. We believe… Continue Reading

  • USLAW NETWORK Foundation announces Foundation Partners program

    The USLAW NETWORK Foundation, the philanthropic division of USLAW NETWORK, is excited to announce its first group… Continue Reading

FTC Sends “Message” on Data Security in Closing Letter to Morgan Stanley

POSTED SEPTEMBER 22, 2015

A special to USLAW NETWORK and USLAW DigiKnow

By Karen Painter Randall, Connell Foley LLP, Roseland, New Jersey


Recently, companies have been requesting that the Federal Trade Commission (“FTC”) provide additional guidance on data security. On August 10, 2015, the FTC issued a public closing letter to Morgan Stanley Smith Barney LLC (“Morgan Stanley”) regarding the agency’s investigation into a data breach involving client information, which sheds some light into same.

By way of background in January 2015, a Morgan Stanley employee admitted to inappropriately transferring account information for 350,000 Morgan Stanley clients from the company’s network to a personal website and then to a personal device. Hackers then reportedly accessed some of this information and posted account information, including client names, account numbers, and investment details for 1,200 clients on multiple public websites. Upon learning of this data breach, the FTC initiated an investigation into Morgan Stanley’s data security practices to determine whether the company engaged in unfair or deceptive acts or practices in violation of the Section 5 of the FTC Act by failing to implement reasonable security measures to protect the clients’ account information.

On August 10, 2015, the FTC sent a letter to Morgan Stanley notifying the company that it was closing its investigation because Morgan Stanley had established and implemented comprehensive policies designed to protect against insider theft of personal information. The letter explained that Morgan Stanley had in place a policy limiting employee access to only the personal information for which they had a business need. Morgan Stanley also had processes in place to limit or prevent employees’ from transferring personal information, including monitoring the size and frequency of data transfers by employees, prohibiting employee use of USB and similar devices for transferring information, and blocking employee access to certain high-risk websites and applications. Another factor influencing the agency’s decision to close the investigation was that Morgan Stanley quickly fixed improper configurations that allowed employees to access control for a narrow set of reports once this problem was brought to its attention.

Generally, the FTC will confidentially close privacy and data security investigations, without informing the public as to the existence of the investigation or why it was closed. However, when the FTC chooses to issue a public closing letter, it will often do so to send a specific message or lesson to companies. Here, the Morgan Stanley closing letter offers some guidance to organizations relevant to data security. First, a company must consider not only external risks to the company, but internal risks as well. While much attention is given to the risks of malicious attacks from hackers, many data breaches are the result of human error and system glitches. Second, the FTC has long emphasized that companies should identify and address reasonably foreseeable internal risks that could result in a breach. These risk mitigation efforts will be considered by the FTC when deciding whether to close an investigation.  Lastly, a company must promptly address security issues when they are discovered.

Designed & Developed by Peak Seven