COLUMN: Big fine for old servers proves risk of poor asset management

Server image by Massimo Botturi from

A significant fine this month for a data leak caused by improperly decommissioned technology shows how costly such breaches can be.

Morgan Stanley announced earlier this month that it would pay a $60 million fine related to a data breach lawsuit filed following a 2019 incident.

The preliminary settlement reached in court for the Southern District of New York seeks to resolve a class action lawsuit filed by Morgan Stanley customers over poor information security standards. In part, the plaintiffs said Morgan Stanley improperly transferred older servers containing customer data to an outside vendor. The bank then recovered the servers, according to Reuters. Fifteen million customers were potentially affected by the incident.

Data breaches are often described as a kind of “soft” theft. A typical story clip art on the subject might include an image of an obscure character typing on a keyboard. Rarely do we describe the massive e-waste bins that, when mishandled, expose customer information to theft.

It is also rare that the cost of a data breach is so solidly quantified. In a consent order last October, the Office of the Comptroller of the Currency fined the bank for “failure[ing] to take necessary precautions to protect customer data when it closed two data centers for its US wealth management operations in 2016. The bank did not maintain inventory of customer data on those systems and failed to properly oversee contractors it hired to ensure customer data was erased from old equipment, the OCC said in its consent order.

The settlement and the fine show that customers and regulators are taking data processing more seriously. Businesses need to manage the risk of their physical assets in several ways:

— Have your IT team or third-party provider map where your customer data is hosted and keep this information regularly updated, with a focus on the most sensitive personal data.

— Create an asset inventory to track assets containing sensitive data and ensure that any dismantling of this material is properly managed.

— Perform periodic hardware risk assessments, focusing on how you plan to deal with end-of-life assets.

— Offset certain risks of data leakage or exposure with cyber insurance products suitable for businesses.

— Create a retirement policy that integrates with your overall IT and data security strategy.

— Ensure that the destruction of data at the end of each piece of data-carrying hardware at the end of its life cycle is guaranteed. Destruction is the key. Some companies think their data is erased when they drop off devices for recycling, which isn’t always the case. Recycling these devices is important, but it has to be done the right way. Make sure your e-waste recycler is NAID Certified.

Damage to material property is easier to quantify for regulators (and sometimes complainants). Companies aren’t even getting any corporate pardons in other breach scenarios, like those involving an attack by a sophisticated military or a new, ubiquitous ransomware scam. If the corporate adage “low hanging fruits” were a regulatory burden, this would be it.

For additional guidance on creating an asset inventory and better control of your technology assets, the Cybersecurity and Infrastructure Agency offers additional resources for businesses of all sizes at

Kate Fazzini is CEO of Flore Albo LLC, assistant professor of cybersecurity at Georgetown University, author of Kingdom of Lies: confusing adventures in the world of cybercrime and was a cybersecurity reporter for the Wall Street Journal and CNBC.

John Shegerian is co-founder and CEO of ERI, the nation’s first fully integrated computer and electronic asset destruction provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit to receive a free copy of John’s new book, The insecurity of everything.

Facebook Notice for EU!
You must login to view and post FB comments!

Comments are closed.