ERI’s John Shegerian Calls Morgan Stanley Data Breach Settlement a ‘Cautionary Tale’ About Responsible Data Destruction

Citing recent reports of financial giant Morgan Stanley potentially reaching a settlement for a class-action lawsuit pertaining to an ITAD-related data breach, John Shegerian, Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company, has warned that Morgan Stanley’s payout should be viewed as a cautionary tale for all businesses.

A settlement for an undisclosed amount was reportedly reached last month. When the class-action case was launched in the summer of 2020, court documents revealed details about Morgan Stanley’s asset disposition mis-steps, including decommissioning more than 4,900 devices in a New York data center, with Morgan Stanley contracting with a moving company to carry out the job. The vendor reportedly removed devices and sold them to another company, who resold them online, exposing private data of Morgan Stanley constituents.

Separate from the class-action suit, Morgan Stanley was also slapped with a $60 million fine from the federal government, that found the company “engaged in unsafe or unsound practices that were part of a pattern of misconduct” related to asset disposition.

“This is a classic and textbook example of what not to do,” said Shegerian. “With the current massive increases in liability, there is a huge storm of problems on the horizon for all businesses that mismanage customer information that is stored digitally. What happened to Morgan Stanley was totally avoidable. Companies handling sensitive data need to work with specialized e-waste recyclers and ITAD companies that have been NAID AAA certified at the highest level – and they need to communicate with their vendors to make sure all data is completely destroyed.”

NAID AAA certification verifies secure data destruction companies’ services’ compliance with all known data protection laws through scheduled and surprise audits by trained, accredited security professionals, fulfilling customers’ regulatory due diligence obligations.

Reports of cybercrime are at an all-time high and Shegerian explained that an area that is often overlooked is the hacking of physical hardware and devices. To fully combat the threat of a breach, he said, it has become urgently important to account for data on discarded hardware as well.

“When a device is responsibly recycled, part of that process should always include complete, physical data destruction,” said Shegerian. “Guaranteed data destruction is key. Some companies believe their data is being wiped when they drop devices off for recycling and that is not always the case. Also, unethical and illegal shipping of e-waste to other countries has become an additional layer to the hardware security issue because it leads to the wholesale liquidation of the privacy of corporations and individuals.”