Every entity should have an information technology asset disposal (ITAD) program as part of its information security process and procedure. Indeed, every time an IT asset is purchased, the eventual disposal of that asset should already be defined within an ITAD. When one doesn’t exist, data becomes exposed, compromises occur, and in many cases, fines are levied. Such was the case with Morgan Stanley Smith Barney (MSSB), which continues to feel the repercussions of their ITAD’s failure over the past several years, which has now resulted in $155 million USD in fines and penalties.
On September 20, 2022, the Securities and Exchange Commission (SEC) reached a settlement agreement in which MSSB paid a $35 million USD penalty for the improper disposal of devices containing MSSB customer persona identifying information (PII).