Via Matt Levine, I learn of a SEC complaint against MorganStanley Smith Barney (MSSB):
The Securities and Exchange Commission today announced charges against Morgan Stanley Smith Barney LLC (MSSB) stemming from the firm’s extensive failures, over a five-year period, to protect the personal identifying information, or PII, of approximately 15 million customers. MSSB has agreed to pay a $35 million penalty to settle the SEC charges.
The SEC’s order finds that, as far back as 2015, MSSB failed to properly dispose of devices containing its customers’ PII. On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers. Moreover, according to the SEC’s order, over several years, MSSB failed to properly monitor the moving company’s work. The staff’s investigation found that the moving company sold to a third party thousands of MSSB devices including servers and hard drives, some of which contained customer PII, and which were eventually resold on an internet auction site without removal of such customer PII. While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices.
The SEC’s order also finds that MSSB failed to properly safeguard customer PII and properly dispose of consumer report information when it decommissioned local office and branch servers as part of a broader hardware refresh program. A records reconciliation exercise undertaken by the firm during this decommissioning process revealed that 42 servers, all potentially containing unencrypted customer PII and consumer report information, were missing. Moreover, during this process, MSSB also learned that the local devices being decommissioned had been equipped with encryption capability, but that the firm had failed to activate the encryption software for years.
“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” said Gurbir S. Grewal, Director of the SEC’s Enforcement Division. ...
Without admitting or denying its findings, MSSB consented to the SEC’s order finding that the firm violated the Safeguards and Disposal Rules under Regulation S-P and agreed to pay the aforementioned penalty.
What immediately came to mind was the Marchand line of Caremark cases. Here's a good summary of the law by Seyfarth Shaw lawyers:
In its 1996 In re Caremark decision, the Delaware Court of Chancery articulated a standard of liability with respect to a board of directors’ oversight failures. The Delaware Court of Chancery explained that such oversight duties stem from a directors’ duty to act in good faith and to be “reasonably informed concerning the corporation.” Caremark, 698 A.2d at 970. The Delaware Court of Chancery concluded that in order to fulfill the obligation to be reasonably informed, the board must first assure itself “that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as matter of ordinary operations.” Id. ...
In June 2019, an en banc panel of the Delaware Supreme Court clarified the pleading requirements for Caremark claims in Marchand v. Barnhill. 212 A.3d at 805. In Marchand, the Delaware Supreme Court reversed the Delaware Court of Chancery’s dismissal of Caremark claims finding that the complaint alleged facts supporting a reasonable inference that the board “failed to implement any system to monitor [the company’s] food safety performance or compliance.” Id. at 809.
The Marchand decision reiterated that the board has a duty to exercise oversight and to monitor “the corporation’s operational viability, legal compliance, and financial performance” by making a good faith “attempt to assure a reasonable information and reporting system exists” and then taking steps to monitor and oversee the system. Id. The Marchand court clarified that failures to either (i) implement reasonable systems or (ii) to monitor the existing systems are “act[s] of bad faith in breach of the duty of loyalty.” Id. In other words, implementing a system that is not reasonable under the circumstances could expose a board to liability as could the failure to monitor the system.
In Marchand, the company manufactured ice cream and, the court determined, lack a board-level system of oversight of food safety. The court described food safety as a "mission critical" component of the business, which heightened the need for board oversight. Similarly, in the subsequent Boeing case, the court zeroed in on the board's lack of oversight with respect to passenger safety, which was a mission critical concern for the airplane manufacturer.
Pertinent to MSSB's situation, cyber security is increasingly regarded as a mission critical issue. The Seyfarth Shaw memorandum continues:
... the Delaware courts have emphasized the importance of the board’s oversight duties, particularly with respect to mission-critical company issues and risks. Possible inadequacies of oversight systems in these mission critical areas will likely cause courts to give added scrutiny to boards oversight of them. Cyber-security poses an area of increasing risk for companies. With the progressive sophistication of cyber criminals in disrupting operations to extort payment, cyber-security is likely to be considered a significant risk for most businesses. Board oversight of cyber-security risks and risk mitigation policies is important for most companies and their directors.
In fact, in a recent Caremark case, the Delaware Court of Chancery acknowledged that cyber-security was “an area of consequential risk that spans modern business sectors.” Firemen’s Ret. Sys. of St. Louis on behalf of Marriott Int’l, Inc. v. Sorenson, No. CV 2019-0965-LWW, 2021 WL 4593777, at *11 (Del. Ch. Oct. 5, 2021).
As Levine explains, this is particularly true for banks:
In recent years it has been popular for investment bank executives to say that they were becoming tech companies: They were hiring developers, building apps, talking about big data.
It may be that Caremark claims against MSSB will be barred by the statute of limitations. It sounds like the problem occurred in 2016 and that MSSB began remediation efforts sometime in 2017. Not my area of expertise.
At the very least, however, it would make a good exam question.