Companies have been pressing the Federal Trade Commission (FTC) for additional guidance on data security, and the agency recently delivered. On August 10, 2015, the FTC issued a public closing letter to Morgan Stanley Smith Barney LLC (Morgan Stanley) regarding the agency’s investigation into concerns that the company “fail[ed] to secure, in a reasonable and appropriate manner, account information related to Morgan Stanley’s Wealth Management clients.”1 In the context of data security investigations, closing letters—which explain why FTC staff opted to close an investigation—have the potential to offer helpful insights on what security measures the FTC considers to be reasonably designed to protect the privacy and security of personal information. Knowing what factors influenced the FTC staff’s decision to close an investigation in one instance is equally instructive as knowing why the staff decided to pursue an enforcement action in another.
Morgan Stanley Data Breach
In January 2015, a Morgan Stanley employee admitted to inappropriately transferring account information for 350,000 Morgan Stanley clients from the company’s network to a personal website and then to a personal device. Hackers then reportedly accessed some of this information and posted account information, including client names, account numbers, and investment details, for 1,200 clients on multiple public websites.2 Upon learning of this data breach, the FTC initiated an investigation into Morgan Stanley’s data security practices to determine whether the company engaged in unfair or deceptive acts or practices in violation of the Section 5 of the FTC Act by failing to implement reasonable security measures to protect the clients’ account information.
FTC Closing Letter
On August 10, 2015, the FTC sent a letter to Morgan Stanley notifying the company that it was closing its investigation because Morgan Stanley had “established and implemented comprehensive policies designed to protect against insider theft of personal information.” The letter explained that Morgan Stanley had in place a policy limiting employee access to only the personal information for which they had a business need. Morgan Stanley also had processes in place to limit or prevent employees’ transferring of personal information, including monitoring the size and frequency of data transfers by employees, prohibiting employee use of USB and similar devices for transferring information, and blocking employee access to certain high-risk websites and applications. During its investigation, the agency found that the Morgan Stanley employee was able to access the client account information in spite of these policies because of improperly configured access controls for a “narrow set of reports.” Another factor influencing the agency’s decision to close the investigation was the fact that that Morgan Stanley quickly fixed these improper configurations when they were brought to its attention.
As is customary, the FTC’s closing letter noted that the decision to close its investigation should not be taken to mean that a violation of Section 5 did not occur, and the FTC reserved the right to take further action against the company.
The FTC tends to confidentially close privacy and data security investigations, without informing the public as to the existence of the investigation or why it was closed. When the FTC chooses to issue a public closing letter, it often does so to send a specific message or lesson to industry. The Morgan Stanley closing letter offers several takeaways:
- Companies must consider not only external risks to the company but internal risks as well. While much attention is given to the risks of malicious attacks from hackers, 54 percent of breaches last year were caused by human error and system glitches. All three factors were at play in the Morgan Stanley data breach.
- The FTC has long emphasized that companies should identify and address reasonably foreseeable internal risks that could result in a breach, and the closing letter offers insights into what risk mitigation efforts the FTC will consider when weighing whether to close an investigation. First and foremost, companies should implement policies limiting employee access to only the personal information for which they have a business need. If employees don’t need information to do their jobs, they shouldn’t have access to it. Second, when appropriate in light of a company’s size, complexity, and nature of the data handled, a company should establish both administrative policies and technical measures to limit or prevent employees’ transferring of personal information, including using tools to monitor the size and frequency of data transfers by employees, prohibiting employee use of USB and similar devices for transferring information, and blocking employee access to certain high-risk websites and applications.
- Companies must promptly address security issues when they come to companies’ attention. In closing the investigation, the FTC was influenced by the fact that Morgan Stanley, once aware of how the unauthorized access took place, took quick action to address the weaknesses in its security measures.
The FTC’s closing letter and accompanying blog post reiterate that reasonable security is an “ongoing process” and changes over time based on current risks and technologies.3 As employees increasingly use personal websites and applications in the workplace, companies should implement appropriate controls to address the risk of broad employee access to information.4
1 FTC, Closing Letter to Morgan Stanley Smith Barney LLC, August 10, 2015, https://www.ftc.gov/system/files/documents/closing_letters/nid/150810morganstanleycltr.pdf.
2 See Justin Baer, “U.S. Shifts Focus of Morgan Stanley Breach Probe,” The Wall Street Journal, February 18, 2015, http://www.wsj.com/articles/u-s-shifts-focus-of-morgan-stanley-breach-probe-1424305501.
3 Lesley Fair, “Letter to Morgan Stanley Offers Security Insights About Insiders,” FTC Business Blog, August 10, 2015, https://www.ftc.gov/news-events/blogs/business-blog/2015/08/letter-morgan-stanley-offers-security-insights-about.