A Few Lessons From the Morgan Stanley Trade Secrets Debacle

bitcoin-data-mining-online-currency-theftEarlier this month, a financial advisor at Morgan Stanley copied information of 350,000 of the company’s wealth management clients. A few days later, a sample data from 900 clients was posted on Pastebin, with the poster offering more in exchange for the payment in SpeedCoin, a type of virtual currency similar to BitCoin.

As it happens, earlier that year, Morgan Stanley hosted a bitcoin event at its headquarters, which all employees were invited to attend. And while Morgan Stanley CEO was busy announcing to the world that he does not understand what Bitcoin is, some lower level employees were apparently taking notes.

As you can imagine, the stolen data had a wealth, pun intended, of information about each client.  A six-year advisor was able to get the information by simply running reports within the company’s database. Although he was quickly fired after the breach was discovered, and is now subject to a FBI investigation, the damage to the company’s reputation in terms of clients’ trust has been done.  My guess is that the damage is quite significant, whether the company will admit it or not.

Unfortunately for business owners, trade secret theft is a daily occurrence. With the proliferation of personal electronic devices and the increasing connection of office devices, such as printers, faxes, etc. to the internet, confidential information can be stolen and shared with third parties in a matter of minutes.  The Morgan Stanley debacle shows that even the international powerhouses who have almost unlimited budgets and resources to protect their confidential information and the information of their clients can suffer from blind spots in their security systems that are meant to protect sensitive data. My guess is that Morgan Stanley relied a little too much on the criminal penalties bestowed upon those who misuse client data in the banking world and did not implement as strong of a security system as it should have.

As a business owner, manager, or a person in charge of the confidential information within your organization, it is your responsibility to make sure that that data is protected.  While it is impossible to keep up with every technological advantage, it is relatively easy to set up a protection system within the company that will prevent most, if not all, data theft. How, you say? Here’s how:

1.  Take a few hours and write down a list of every type of information that your company considers proprietary or confidential, even if it’s an obvious one.  This can include customer list and information, vendors list, source code for your software program, design plans for your product, your marketing plans, your financial data, etc.  Any successful business will probably have more than one type of confidential information.

2.  Consider who within your company or business has access to each type of confidential information.  Then, consider whether they need to have access to it.  For example, does your marketing department need to have access to your manufacturing schemes? Does your manufacturing department need to have access to your financials or customer list? It might seem silly, but I guarantee that after taking stock, you will find that some people or departments incidentally have access to the data that they don’t need or use in their jobs. Eliminate such access.  Of course, be careful not to deprive people of the information that they need to do their jobs.

3.  Consider whether each person with access to confidential information has signed proper agreements. Do your employees have non-compete agreements, non-solicitation agreements, and non-disclosure agreements? If they do, are the agreements consistent? Do they have all the necessary bells and whistles to make them enforceable? How long ago were they updated?  Having thorough yet clear agreements will discourage most employees from attempting to steal trade secrets.

4. Take stock of all electronic devices issued to employees.  Do you consistently keep track of what electronic devices are issued to employees by the company? Do you have a policy governing how such devices are used? Do you have security measures on such devices? Do you have a way to determine whether a device has been used to transfer confidential information? This is particularly important for the employees who work from home.

5. Do you have appropriate agreements with vendors, suppliers, business partners, and other parties who receive confidential information from you? If not, you need to add such agreements into your relationship with such parties to make sure that your confidential information is not used to replace or cut you out.

LESSON:  What happened at Morgan Stanley, can happen anywhere. But, it is less likely to happen in a company where employees get a sense that the company is serious about protecting its trade secrets and confidential information of its customers.  The serious attitude is conveyed to the employees by having an organized framework – from legal agreements, to passwords, to restricted access to non-essential employees – within the company. When employees see that a company’s efforts to protect its information are disorganized or haphazard, they are more likely to attempt theft of such information because they believe that they will not be caught. In Morgan Stanley’s example, it appears, that the company did not even know that the employee obtained its client data until weeks after it was posted for sale on the internet, which means that its internal database did not alert the company when large amounts of reports were being generated.

Make 2015 the year that you insulate your business from trade secret theft.

If you are facing a trade secret misappropriation claim or are suspecting that a theft of trade secrets occurred at your company, contact Leiza Dolghih at Leiza.Dolghih@GodwinLewis.com for a consultation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s