Two CD-ROMs containing the private information of 34,000 investment clients of Morgan Stanley Smith Barney still have not been found, but the controversy over who’s to blame for the data breach continues to grow. In statements to Credit.com, Morgan Stanley and the New York State Department of Taxation and Finance blame each other for the mess.
“We were notified by the state that the package appeared to be intact when it arrived at the facility, however the discs were not contained in it when it was given to the intended recipient” inside the department, Jim Wiggins, a spokesman for Morgan Stanley Smith Barney, told us.
Not so fast, says the state. If Morgan Stanley had bothered to encrypt the CDs before sending them, none of this would have happened. The state doesn’t know where the CDs are now, but that doesn’t mean it lost them, says Susan Burns, a spokeswoman for the tax department.
Maybe they were lost in the mail, Burns says.
“We have no information that we can use to corroborate that the two compact disks were in the envelope when it arrived at the Department,” Burns said in an email. ”We cannot determine whether the disks were lost in transit via the US Postal Service or within the Department.”
Why does it even matter that two CD-ROMs are missing? Because they contained the names and Social Security numbers of a number of wealthy New Yorkers. The data concerned investors in tax-advantaged bonds, which tend to be investors with quite a bit of money, says Adam K. Levin, founder and chairman of Credit.com.
Since neither side knows where the CDs are, no one can say whether the data was stolen, or whether it’s merely sitting innocently on the wrong person’s desk.
What’s interesting is that the whole episode has exposed some confusion about what the law actually says regarding data transmissions of this type. The law in question is the New York Information Security Breach and Notification Act (ISBNA). In her original emailed statement, Burns said that while the CDs were protected by passwords, “(u)nfortunately, password protected is not the equivalent of encrypted which is the requirement of ISBNA and industry best practice.”
[Consumer Resource: Get your free Credit Report Card from Credit.com]
Later, the tax department learned differently. The state law does not require companies to encrypt data; rather, it says only that if unencrypted data is lost, companies must notify consumers and regulatory agencies of a possible data breach. In case you really want to dig into this, here’s the law itself.
“We believe we were in compliance with requirements” set forth by the law, Wiggins says.
Then there’s the question of how the data was sent. Some websites have suggested that Morgan Stanley could have used a secure data pipeline to send the data. This turns out not to be the case. While the Department of Taxation and Finance does now have a secure pipeline that allows for encrypted data transmissions, they didn’t ask Morgan Stanley to use the application because the software “was not fully implemented until after the request for annual data was sent,” Burns says.