Reflections on Cross-Functional Governance from recent OCC penalties on Morgan Stanley

The volume of sensitive consumer data and information collected by companies is exponentially increasing. Companies have an obligation to safeguard this data from breaches; this is clearly well understood, especially when the data is within the company.


However, the obligation does not stop when the data is being disposed of. The penalty of $60 million recently imposed by the Office of the Comptroller of the Currency (OCC) on Morgan Stanley highlights the need for vigilance even in this step. The OCC found Morgan Stanley in 2016 had “…among other things, failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third-party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices.”. The OCC found similar control deficiencies in a decommissioning of devices done in 2019. From news reports, the breach is believed to have jeopardized sensitive customer information including names, account numbers (at Morgan Stanley and any linked bank accounts), contact information, passport number, social security number, date of birth, asset value, and holdings data. Morgan Stanley also confirmed the nature of the breaches in their notification letter stating, “We subsequently learned that certain devices believed to have been wiped of all information still contained some unencrypted data.”


Keeping data safe and secure today is not an easy task. Attacks continue to increase in frequency and sophistication; data is on the cloud with access in a variety of applications and disciplines. How can situations like that at Morgan Stanley be prevented? It is most critical to have a well-thought-out data management and governance strategy.


Most companies have sophisticated security programs and all the protocols in place for proper data destruction. But, clearly some things slip through the cracks – is this more common than we expect, especially given the cross-functional nature of the process. As we have previously noted, managing and stewarding data within organizations requires increased collaboration across silos. Data is a key focus for Business, Risk, Privacy, IT, and Security teams with each team holding critical pieces of the organization’s overall strategy around Data


Some important aspects to consider for addressing these sorts of issues come to mind. First, it is critical to ensure all key stakeholders are involved when the plans for data relocation and disposition are being made and implemented. Identifying the project as a data destruction project should ideally trigger the involvement of Security and Information Governance teams. Processes for Data disposition projects should require IT, teams, to consult on security, privacy, and records aspects with everyone having a clear understanding of the scope of the project. Improving cross-functional governance, in general, is a broader issue –as mentioned before, more than 50% of organizations in a recent CPO survey viewed cohesion across business units as a key challenge around data privacy and security.


Second, there has to be a clear way to incorporate learnings and continuously improve. In the case of Morgan Stanley, it appears issues present in 2016 (around decommissioning of data centers) were still present in 2019 in a similar but slightly different