Multi-million dollar ITAD fine for bank
International bank Morgan Stanley have been hit with a $60 million fine from the US Treasury Dept. for “engaging in unsafe or unsound practices relating to information security and noncompliance”; this was brought about by failures in their ITAD (IT Asset Disposition) policies and procedures.
The “Office of the Comptroller of the Currency” (OCC) – which, as part of the Treasury Dept. regulates and supervises all national banks, and federally licensed branches of foreign banks, in the United States of America – issued a “consent order” that gave more details on the issues. They found that, in 2016, Morgan Stanley fell short in several areas and failed to:
- Exercise proper oversight of the decommissioning of two datacentres
- Effectively assess/address risks associated with the decommissioning of its hardware
- Adequately assess the risk of using third party vendors, including subcontractors
- Maintain an appropriate inventory of customer data stored on the devices
- Exercise adequate due diligence in selecting the third-party vendor
- Adequately monitor the vendor’s performance
They then experienced “similar vendor management control deficiencies” in 2019, prompting further action. It seems that data was left on devices post-decommissioning and that they were also unable to account for some of the server hardware after it had been retired. As well as the OCC fine, Morgan Stanley now face a range of class-action lawsuits that have been brought by customers.
We have highlighted several times this year that, with the rise of remote working driven by COVID-19, Hardware Asset Management (HAM) and IT Asset Disposition (ITAD) are more critical than ever before. This case helps highlight some of the elements that must be considered when implementing these areas within the business and shows that simply passing it off to a third-party isn’t the end of it. If engaging with an ITAD provider, you must ensure that you have procedures in place to:
- Select the right partner and assess the risks
- Check their credentials and certifications, as well as their lifecycle management processes
- Continually monitor that they’re doing what they should be
- Regular checks, a set of benchmark criteria, a process for remediation
While this multi-million dollar ITAD fine is perhaps an above average penalty, it does highlight the possible risks – financial and reputational – that can accompany less than stellar ITAD management. Consider this as you work with your business to identify priorities for 2021.
Further Reading
ITAD firms weigh in on bank’s $60M data mismanagement fine
OCC Consent order
What you need to know about ITAD
ITAD maturity assessment
Can’t find what you’re looking for?
More from ITAM News & Analysis
-
Broadcom is removing expired VMware licences from its portal - take action now!
Hot on the heels of Broadcom’s announcement of the end of perpetual licences for VMware it has given customers barely a week to download any keys for licenses from its portal with expired support. This is ... -
Who Loses When Broadcom Wins?
News of a new Broadcom deal rarely arrives with great fanfare. The November 2023 VMware acquisition provoked open worry online and in business circles, with many critics wondering whether the former Hewlett-Packard spinoff’s reputation would prove ... -
Software Vendor Insights: What do the numbers tell us about the opportunities for ITAM negotiations?
What software vendor insights can be gained from the latest financial results from Amazon, Google, Broadcom, Salesforce, IBM and SAP? An important part of ITAM is paying close attention to the health of the companies we ...