FTC closes investigation into Morgan Stanley hack

Agency lauds firm for data protection policies, quick response to employee theft of 350,000 records

The Federal Trade Commission closed its investigation into last year's Morgan Stanley hack that exposed customer records saying that although it found improperly configured access controls the company did respond quickly after the hack was discovered and had adequate internal security policies in place.

The FTC's Division of Privacy and Identity Protection within the Bureau of Consumer Protection released a letter Aug. 10 outlining its findings and specifically stating that the close of the investigation should not be interpreted that the agency had determined a violation did not occur. The investigation centered on whether Morgan Stanley's data security practices violated Section 5 of the Federal Trade Commission Act., 15 U.S. Code § 45.

In January, Morgan Stanley announced that an employee had stolen the account information of 350,000 wealth-management clients and posted a portion of those documents for sale online. The employee was later fired and the company offered fraud-monitoring services to owners of the compromised accounts.

The FTC was considering if Morgan Stanley had failed to secure in a reasonable way its clients' account information. The FTC said in the Aug. 10 letter that it did find adequate policies in place restricting and monitoring employee access.

For example, Morgan Stanley had a policy allowing employees to access only the personal data for which they had a business need. The agency said the employee gained access because access controls on a "narrow set of reports" were not configured correctly.

The agency cited the firm's quick response in fixing the issue once the hack came to light.

In the letter, the FTC emphasized that data security is an ongoing process and that companies must adjust security practices on a regular basis.