Personal information belonging to 34,000 investment clients of Morgan Stanley Smith Barney has been lost, and possibly stolen, in a data breach. According to two letters sent to clients, and obtained by Credit.com, the information includes clients’ names, addresses, account and tax identification numbers, the income earned on the investments in 2010, and—for some clients—Social Security numbers.
The data was saved on two CD-ROMs that were protected by passwords, according to the letters, but the CDs were not encrypted.
“There’s no evidence that there was any criminal intent here, or actual misuse of this information,” Jim Wiggins, a spokesman for Morgan Stanley Smith Barney, said in a phone interview.
The company mailed the CDs containing information about investors in tax-exempt funds and bonds to the New York State Department of Taxation and Finance. It appears the package was intact when it reached the department, but by the time it arrived on the desk of its intended recipient the CDs were missing, Wiggins said.
The state notified Morgan Stanley Smith Barney about the lost data on June 8. The company took two weeks to conduct an “exhaustive search” of all the facilities the package passed through, Wiggins said, and then mailed the letters to clients on June 24. The tax department did not return a call for comment.
[Article: The Weakest Link: Feds Fail with Cyber Security Proposal]
The discs were password-protected but not encrypted. “We’re going to work with the state to see if we can improve the security of this data transmission,” Wiggins said.
That’s important, according to Adam Levin, founder and chairman of Credit.com and a data security expert. “Anybody can break a password,” Levin said. “The question is: Why wasn’t it encrypted?” Levin says. (Read Levin’s column about the breach, “The Morgan Stanley Smith Barney Breach: Losing Client Data the Old Fashioned Way“)
The two letters differ in how they instruct clients to protect themselves. In one letter, Morgan Stanley Smith Barney merely suggests that recipients check their financial statements, and report anything suspicious to their financial institutions or various, unnamed “consumer reporting agencies.”
In the other letter, mailed only to clients whose Social Security were lost, the company announces it will pay for clients to enroll in a year’s worth of credit monitoring services by Experian, one of the three major credit bureaus. This letter also instructs victims to call the Federal Trade Commission, and informs clients that they are entitled under U.S. law to one free credit report annually from the three major credit bureaus.
The fact that Morgan Stanley Smith Barney is willing to pay for such a service underscores the importance of the missing data, says Levin.
“This is pretty tasty stuff for somebody,” Levin says. “This isn’t just an identity. This is an identity attached to assets.”
[Free Tool: Obtain your Identity Risk Score from Credit.com]
Image: B0G4RT, via Flickr
Christopher Maag Contributing writer for Credit.com, Chris graduated with honors from the Columbia University Graduate School of Journalism, and has reported for a number of publications including The New York Times, TIME magazine and Popular Mechanics. Have a question for our experts? Email them at CreditExperts@Credit.com.
{ 1 comment… add a comment }
Perhaps an even bigger issue for Morgan Stanley Smith Barney is that their recent account agreements have no valid predispute arbitration clause. See below.
In The Morgan Stanley Smith Barney, Active Assets Account Application, there is a definition on Page 1 of the Active Assets Account Application. On page 1, top, line two has the phrase: ‘Active Assets Account Application (“Agreement”)’ identifying the 10 page, 15 Section document as “Agreement”.
Yet, on page 10 of the Agreement, top, right hand box, the wording “are governed by a predispute arbitration clause (see pages 24 of the Agreement)” appears. This makes it crystal clear that more than one Agreement is being discussed, since the Active Assets Account Application is ten pages long and has no page 24. This second ‘Agreement’ could be anything from the Los Angles Phone Book to the Constitution of Afghanistan.
The legal department of Morgan Stanley Smith Barney has defined the word Agreement and then voided their own definition. They have therefore created an invalid, illegal, and non-binding document since there is no separability clause in this document contending that other parts are valid even if one section is not.
Unfortunately, this is not the only arbitrary citation in this document. On page 9, top, Section 15, Signatures, the Active Assets Account Application states: “you acknowledge and agree to the terms of the Agreement dated May 2010 or later, as amended from time to time, which is incorporated by reference herein and of which you hereby acknowledge receipt”. Page 1 of the Active Assets Account Application, line 2 has the phrase: ‘Active Assets Account Application (“Agreement”)’ and has, in the lower, right hand corner of Page 1, Version Date: July 2010. By rigorous logic, one would conclude that this document cites itself for inclusion in itself and is therefore infinitely long and recursive. An alternative interpretation of this clause is that there is yet a third ‘Agreement’ that is being referred to and is now incorporated into the document.