Home > Uncategorized > The Morgan Stanley Data Breach Smear

The Morgan Stanley Data Breach Smear

News today of a data breach at Morgan Stanley has followed the usual pattern. Some self-appointed expert writes a blog and gets on the news to highlight the apparent negligence of a large and respected company in the handling of its customers information. Followed by carefully worded statements from “spokesmen” for both the company and other parties to the debacle. In this case the other party was the New York State Department of Taxation and Finance. Then dozens of news outlets pile on after doing no digging whatsoever to confirm the facts.

Morgan Stanley claims they have information or evidence that shows that a package they sent to the New York State Department of taxation arrived at its destination “intact.” How they know this has not been discussed publicly. Regardless, the CDs are now unaccounted for. The New York department of taxation stated, according to the website credit.com, “if Morgan Stanley had bothered to encrypt the CDs before sending them, none of this would have happened.” This implies that Morgan Stanley followed poor practices when securing the data send. But later in the same article is revealed that “while the Department of Taxation and Finance does now have a secure pipeline that allows for encrypted data transmissions, they didn’t ask Morgan Stanley to use the application because the software ‘was not fully implemented until after the request for annual data was sent.’ ” [emphasis is mine] These statements are attributed to New York Department of Taxation and Finance spokesperson Susan Burns. In fairness, credit.com did not use quotation marks around the “if Morgan Stanley had bothered…” comment so that bit of editorial confusion may have been cooked up by credit.com to spice up their story.

In general, when private companies send data to the state they are compelled to do so. The format, timing, and security or lack thereof is all part of the state’s command to send data. For example, if data were to be encrypted, then an agreed upon scheme to protect the keys and transmit the keys for decryption would have to be agreed upon. This would be explicitly true for the use of, say, AES 256 encryption using WinZip or other encrypting program. Or this would be implicitly true for the use of TLS encryption and an encrypted channel over the Internet. Either way, the state makes the rules. If Morgan Stanley used, say, Microsoft Office Excel password protection to secure the data, that was most likely because that’s what the New York State Department of Taxation and Finance insisted upon. This is probably why the commentary coming from New York State has been relatively mild and has not unequivocally pointed the finger of blame at Morgan Stanley. After all, it appears that at least some of the data sent to the NY State Department of Taxation and Finance has not been secured according to NY statute for at least five years. Probably budgetary pressures.

In this case the law in question is the New York Information Security Breach and Notification act (ISBN A). It appears that both Morgan Stanley and the New York State Department of Taxation and Finance are in fact covered by the ISBNA, which was originally enacted in late 2005. However, upon review of the New York State Technology Law Section 208 (the part of ISBNA that pertains to state agencies), it appears that what happened to the CDs from Morgan Stanley was not, in the eyes of New York State, a “data breach”. Here is the definition of “breach of security system” contained in state technology Law section 208: “Breach of the security system means an ‘unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. Good faith acquisition of personal information by an employee or agent of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.’ ” So the breach was not a breach and it appears that Morgan Stanley and, reluctantly, New York State Department of Taxation and Finance, have decided to notify taxpayers in New York out of an abundance of caution. Please note that no one is congratulating Morgan Stanley for taking the high road in its ongoing compliance with New York State law. It didn’t have to notify its customers but it chose to anyway.

The moral of this sad story is that when it comes to suspected data breaches, companies are damned if they do and damned if they don’t. A company like Morgan Stanley, which has excellent technology infrastructure and a reasonably good track record when it comes to protecting information, will be tarred with the same brush used on companies like Sony and others who arguably turned a blind eye to the protection of information in their care. You have a good reputation until you don’t. That time for good reputation expiration is chosen by people you never met who have only sketchy access to the facts and who then twist those facts to their own advantage. Welcome to data breach notification, United States style.

[Author’s Note: I have no inside information concerning this incident and have not included any proprietary information in this blog.]

Categories: Uncategorized Tags:
  1. July 26th, 2011 at 10:15 | #1

    @Chris Maag
    Dear Chris, First let me apologize for not responding to your comment for two weeks. I saw that there was a comment to my blog of the 11th but for some reason could not see your comment until now. Also, when I posted my blog, I had not seen your idt911 blog of the 12th which added more information.

    There are two issues here raised by the original story: (1) was Morgan Stanley negligent in merely password protecting rather than encrypting the private data; and (2) was a breach notification required by law.

    Regarding the first issue, the original story used the words “…if Morgan Stanley had bothered…” to encrypt the data… etc. etc. You did not use quotation marks to attribute that comment to anyone else, so I am justified in assuming that was your editorial conclusion hence my comment about “…may have been cooked up by credit.com to spice up…”. Unfortunately, this is the phrase I picked up on that prompted my original blog, because with it your story fits the standard editorial slant we so often see: “Big Company ignores personal privacy…” Your story does not focus at all on the NY Tax Department and their culpability here. I mean, how could they possibly have been so lax as to lose the valuable data…? In your comment, you do not dispose of this question, and as a result you do not dispose of the impression a reader of your original story might have drawn that Morgan Stanley behaved negligently, unethically or illegally by not encrypting the data.

    You also do not address why encryption was apparently not required by the NY Tax Department at the time. If they already had the mechanism in place to exchange the password, they could just as easily exchange a decryption key. Again, the impression from your story implies that Morgan Stanley cut corners. My bet is that NY Tax did not have the software available to decrypt at the time. Was this one of fifty sendings from MS to NY Tax that was password protected and went through no problem? Did NY Tax even have the ability to decrypt an encrypted file? If you had these answers you did not report them.

    As to the second issue, that is not settled in your comment either. In your idt911 blog, you mention that the Tax Department said a breach notification was “required by law” and said here was a link but I could not see or click the link. I read the ISBNA and quoted the part in which a loss of data seemed not to be included as a breach notice triggering event. It is possible that Federal Law might require this and trump state law but I do not have a citation or court report. Federal law would not most likely apply to states either. Maybe you could send me the link that was hinted at in the idt911 blog post.

    As for my facts not being straight, although I apparently did less digging than you did, my facts were solid. Had you said “…if Morgan Stanley had encrypted…” rather than used the word “bothered” or else attributed the “bothered” word to its origin, I might have written a different blog. And under ISBNA alone, breach notice is apparently not required in this case. If breach notice was not required, it was done only out of an abundance of caution as I stated. Given the number of people involved, the costs of breach notice and the impact on all involved parties were way less than having any sort of legal dispute.

    I am not accusing you or anyone of deliberately distorting the facts. But to create the impression of negligence or fault without support is wrong and does a disservice to companies and workers who work very hard to do the right thing and to comply with often ambiguous laws and regulations.

  1. No trackbacks yet.
Comments are closed.