The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
“We were notified by the state that the package appeared to be intact when it arrived at the facility, however the discs were not contained in it when it was given to the intended recipient” inside the department, Jim Wiggins, a spokesman for Morgan Stanley Smith Barney, told us.
Not so fast, says the state. If Morgan Stanley had bothered to encrypt the CDs before sending them, none of this would have happened. The state doesn’t know where the CDs are now, but that doesn’t mean it lost them, says Susan Burns, a spokeswoman for the tax department.
[Article: The Weakest Link: Feds Fail with Cyber Security Proposal]
Maybe they were lost in the mail, Burns says.
“We have no information that we can use to corroborate that the two compact disks were in the envelope when it arrived at the Department,” Burns said in an email. ”We cannot determine whether the disks were lost in transit via the US Postal Service or within the Department.”
Why does it even matter that two CD-ROMs are missing? Because they contained the names and Social Security numbers of a number of wealthy New Yorkers. The data concerned investors in tax-advantaged bonds, which tend to be investors with quite a bit of money, says Adam K. Levin, founder and chairman of Credit.com.
Since neither side knows where the CDs are, no one can say whether the data was stolen, or whether it’s merely sitting innocently on the wrong person’s desk.
What’s interesting is that the whole episode has exposed some confusion about what the law actually says regarding data transmissions of this type. The law in question is the New York Information Security Breach and Notification Act (ISBNA). In her original emailed statement, Burns said that while the CDs were protected by passwords, “(u)nfortunately, password protected is not the equivalent of encrypted which is the requirement of ISBNA and industry best practice.”
[Consumer Resource: Get your free Credit Report Card from Credit.com]
Later, the tax department learned differently. The state law does not require companies to encrypt data; rather, it says only that if unencrypted data is lost, companies must notify consumers and regulatory agencies of a possible data breach. In case you really want to dig into this, here’s the law itself.
“We believe we were in compliance with requirements” set forth by the law, Wiggins says.
Then there’s the question of how the data was sent. Some websites have suggested that Morgan Stanley could have used a secure data pipeline to send the data. This turns out not to be the case. While the Department of Taxation and Finance does now have a secure pipeline that allows for encrypted data transmissions, they didn’t ask Morgan Stanley to use the application because the software “was not fully implemented until after the request for annual data was sent,” Burns says.
Morgan Stanley Data Breach Hits Investors
The Morgan Stanley Smith Barney Breach: Losing Client Data the Old Fashioned Way
October 19, 2023
Identity Theft and Scams
May 17, 2022
Identity Theft and Scams
May 20, 2021
Identity Theft and Scams