Click to open contact form.
Your Global Partners in the Business of Innovation

Significant Fines on Both Sides of the Atlantic for Failures to Protect Personal Data

Client Updates / Sep 28, 2022

Written by Haim Ravia and Dotan Hammer

The Irish Data Protection Commissioner (DPC) decided to impose administrative fines totaling €405 million on Meta Platforms Ireland due to Instagram’s failure to implement privacy-by-default settings for child users of the social network. In addition, the DPC also imposed a reprimand and an order requiring Meta Platforms to bring its processing into compliance within three months.

The administrative fine was based on the DPC’s findings in two matters. First, Meta Platforms allowed minors between the ages of 13 and 17 to operate ‘business accounts’ on the Instagram platform. At times, these accounts were configured by default to publish the child user’s phone number and email address.

Second, Meta Platforms at times had the accounts of child users set to “public” by default, which in turn made the social media content of child users publicly available, unless the account was otherwise set to “private” by changing the account privacy settings.

In the United States, the Securities and Exchange Commission (SEC) announced charges against Morgan Stanley due to the firm’s extensive five-year-long failure to protect the personal information of approximately 15 million customers. Morgan Stanley has agreed to pay a $35 million penalty to settle the SEC charges without admitting or denying its findings.

The SEC found that since 2015, Morgan Stanley hired an inexperienced moving company to decommission thousands of hard drives and servers containing the personal information of millions of its customers. Morgan Stanley also failed to properly monitor the moving company’s work. The moving company had resold numerous Morgan Stanley devices containing customer personal information, which in turn were further auctioned on the Internet without discarding the personal information stored on them. Morgan Stanley managed to recover some, but not all, of the devices, and the recovered devices were shown to contain thousands of pieces of unencrypted customer data.

The SEC also found that Morgan Stanley’s own hardware refresh program failed to properly monitor the decommissioning of local office and branch servers. Forty-two servers, all potentially containing unencrypted customer data went missing, and although the devices had encryption capability, the firm had failed to activate the encryption software for years.

Click here to read the Irish Data Protection Commissioner’s decision against Meta Platforms.

Click here to read the Securities and Exchange Commission’s order against Morgan Stanley.