According to the SEC order, MSSB in 2014 executed a contract with a moving and storage company to decommission two of its primary data centers. The moving company’s job was to “pick-up, transport and decommission” certain electronic devices from MSSB data centers in 2016.
The contract with MSSB further stated that the moving company would work with an e-waste management company responsible for wiping or destroying any data on the decommissioned devices before reselling any of those devices. Under that contract, MSSB was to receive Certificates of Destruction (CODs) documenting the destruction of relevant devices.
According to the SEC, “MSSB failed to properly monitor the moving company’s work.” At some point during the engagement, the moving company stopped working with the e-waste management company and, instead, “began selling unwiped devices removed from MSSB’s data centers to another third party.” However, MSSB was not notified of this. Thus, the new third party was “never vetted by MSSB and was never approved as a vendor or sub-vendor for this decommissioning,” the SEC order stated.
Consequently, the moving company ended up selling thousands of unwiped hard drives, some of which contained unencrypted customer data. Most of the devices sold have not been recovered, the SEC stated.
In other instances, MSSB “failed to properly safeguard customer PII and properly dispose of consumer report information when it decommissioned local office and branch servers as part of a broader hardware refresh program,” the SEC stated. Specifically, “In 2019, MSSB decommissioned approximately 500 of these local devices as part of a broader hardware refresh program,” the SEC order stated.
When MSSB undertook a cross-check and reconciliation of all its records to confirm the destruction of these and previously decommissioned local storage devices, it could not locate 42 devices, which all potentially contained unencrypted customer PII and consumer report information, the SEC continued.
“The local devices were equipped with encryption capability, but MSSB failed to activate the encryption software until 2018,” the SEC order stated. “Once activated, however, due to a manufacturer flaw, the encryption software only encrypted newly created data.” Thus, some data stored on the devices prior to 2018 remain unencrypted.
Without admitting or denying its findings, MSSB consented to the SEC’s order for violations of the Safeguards and Disposal Rules under Regulation S-P. 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.