The case of Morgan Stanley: The need for Enterprise Data Retention Programmes

<- Back to all Blogs
4 min Read |  Published: Wed Oct 21 2020
Last week saw confirmation of Morgan Stanley’s $60 million USD fine for having failed to ‘effectively assess or address risks associated with decommissioning its hardware’, having failed to ‘maintain an appropriate inventory of customer data stored on the devices.’
The Morgan Stanley case serves as a cautionary tale for Banks and global businesses. The Bank’s failure to maintain an ‘appropriate inventory’ of its Customer’s PII highlights the obvious need for a robust, enterprise-wide, data privacy solution that covers data retention and deletion strategies. Without such a programme, businesses will never have a true view of the PII that resides in their systems, and importantly, how long this data should be retained for. Without a single view, any PII left across systems, databases and regions can quickly become ‘toxic’, presenting the organisation with a long-term, yet potentially hidden risk. So how best to address these challenges? Let us begin by defining the term ‘toxic data’.
At its worst, toxic data is often some of the most sensitive, personal data – e.g financial data, or healthcare data – that has no legal basis, consent or otherwise, to be held or processed by a business. This ‘un-consented’ and ‘un-permissioned’ data represents a hidden risk to a business and its customers by increasing the attack-surface and providing an obvious target for hackers who wish to access the valuable, often sensitive, personal data. In some cases, this data belongs to individuals who may have long ceased to be customers of the Bank. Left unchecked, hacked or stolen data will inevitably lead to data breaches and the sorts of fines now faced by Morgan Stanley. Furthermore, although a business might not be able to actually use its un-consented and un-permissioned data, it must nevertheless pay for the privilege of storing it. Those that adopt the right tools and technologies will succeed on two fronts: firstly, by reducing the storage costs of ‘toxic’ data, and secondly by securing the business against the risk of fines and brand damage.

So, what’s the solution?

Investment in the right tools and technologies is the best solution. These tools will help enterprise-wide retention programmes, rules and data mapping, eliminating the risk of fines and data breaches today and tomorrow by automating processes that help the business to catalogue data, improve visibility and reduce its attack surfaces.
Trunomi is purpose-built to help organisations with their enterprise-wide data retention and privacy management programmes. Trunomi’s own patented TruCert™ technology is designed to capture the full context around the Personal Data held by a business, including the expiration dates and retention periods. Trunomi’s rules-based platform automates workflows for data retention programmes: if a customer closes their account, or a certain Consent expires, TruCert™ can either flag the underlying PII, or instruct downstream systems to take a specific action (e.g. deletion, masking or archiving) while immutably recording that such an action has taken place. Trunomi’s pointer technology reduces the need to move documents and prevents organisations from falling foul of Schrems II without Trunomi ever having to see or store copies of the raw PII itself. The business can de-risk its data sets, save on storage costs and reduce the risk of a Morgan Stanley-style fine to zero.

So, what now?

Perhaps the most worrying aspect of Morgan Stanley’s recent case was not the fact that it happened in the first place, but rather the fact that it happened twice – once in 2016, and again in 2019. With the right technologies and tools in place, businesses can overcome the obstacles faced, and ensure they do not find themselves under investigation at all, let alone twice in three years.

Richard Santalesa, a technology and data privacy attorney at SmartEdgeLaw Group, commented on the Morgan Stanley fine as follows: “I’m sure this latest action has made the desks of every CISO and chief privacy officer in the financial ecosphere. I know that if I were sitting in that C-seat, I’d immediately add a ‘data destruction / deletion review’ agenda item to my next department meeting.”

Today’s technologies are designed to solve these issues. To see how how Trunomi helps CISOs, Data Governance and Privacy teams with their Data Retention, get in touch or book a demo at