The Morgan Stanley Data Breach Smear
News today of a data breach at Morgan Stanley has followed the usual pattern. Some self-appointed expert writes a blog and gets on the news to highlight the apparent negligence of a large and respected company in the handling of its customers information. Followed by carefully worded statements from “spokesmen” for both the company and other parties to the debacle. In this case the other party was the New York State Department of Taxation and Finance. Then dozens of news outlets pile on after doing no digging whatsoever to confirm the facts.
Morgan Stanley claims they have information or evidence that shows that a package they sent to the New York State Department of taxation arrived at its destination “intact.” How they know this has not been discussed publicly. Regardless, the CDs are now unaccounted for. The New York department of taxation stated, according to the website credit.com, “if Morgan Stanley had bothered to encrypt the CDs before sending them, none of this would have happened.” This implies that Morgan Stanley followed poor practices when securing the data send. But later in the same article is revealed that “while the Department of Taxation and Finance does now have a secure pipeline that allows for encrypted data transmissions, they didn’t ask Morgan Stanley to use the application because the software ‘was not fully implemented until after the request for annual data was sent.’ ” [emphasis is mine] These statements are attributed to New York Department of Taxation and Finance spokesperson Susan Burns. In fairness, credit.com did not use quotation marks around the “if Morgan Stanley had bothered…” comment so that bit of editorial confusion may have been cooked up by credit.com to spice up their story.
In general, when private companies send data to the state they are compelled to do so. The format, timing, and security or lack thereof is all part of the state’s command to send data. For example, if data were to be encrypted, then an agreed upon scheme to protect the keys and transmit the keys for decryption would have to be agreed upon. This would be explicitly true for the use of, say, AES 256 encryption using WinZip or other encrypting program. Or this would be implicitly true for the use of TLS encryption and an encrypted channel over the Internet. Either way, the state makes the rules. If Morgan Stanley used, say, Microsoft Office Excel password protection to secure the data, that was most likely because that’s what the New York State Department of Taxation and Finance insisted upon. This is probably why the commentary coming from New York State has been relatively mild and has not unequivocally pointed the finger of blame at Morgan Stanley. After all, it appears that at least some of the data sent to the NY State Department of Taxation and Finance has not been secured according to NY statute for at least five years. Probably budgetary pressures.
In this case the law in question is the New York Information Security Breach and Notification act (ISBN A). It appears that both Morgan Stanley and the New York State Department of Taxation and Finance are in fact covered by the ISBNA, which was originally enacted in late 2005. However, upon review of the New York State Technology Law Section 208 (the part of ISBNA that pertains to state agencies), it appears that what happened to the CDs from Morgan Stanley was not, in the eyes of New York State, a “data breach”. Here is the definition of “breach of security system” contained in state technology Law section 208: “Breach of the security system means an ‘unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. Good faith acquisition of personal information by an employee or agent of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.’ ” So the breach was not a breach and it appears that Morgan Stanley and, reluctantly, New York State Department of Taxation and Finance, have decided to notify taxpayers in New York out of an abundance of caution. Please note that no one is congratulating Morgan Stanley for taking the high road in its ongoing compliance with New York State law. It didn’t have to notify its customers but it chose to anyway.
The moral of this sad story is that when it comes to suspected data breaches, companies are damned if they do and damned if they don’t. A company like Morgan Stanley, which has excellent technology infrastructure and a reasonably good track record when it comes to protecting information, will be tarred with the same brush used on companies like Sony and others who arguably turned a blind eye to the protection of information in their care. You have a good reputation until you don’t. That time for good reputation expiration is chosen by people you never met who have only sketchy access to the facts and who then twist those facts to their own advantage. Welcome to data breach notification, United States style.
[Author’s Note: I have no inside information concerning this incident and have not included any proprietary information in this blog.]