By Jonathan Stempel
(Reuters) – Morgan Stanley
The settlement resolves allegations related to Galen Marsh’s unauthorized transfers from 2011 to 2014 of data from about 730,000 accounts to his home computer in New Jersey, some of which was hacked by third parties and offered for sale online.
Marsh was sentenced in December to three years probation and ordered to pay $600,000 in restitution after pleading guilty to one felony count of unauthorized access to a computer. Prosecutors had sought prison time.
According to the SEC, Morgan Stanley violated a federal regulation known as the Safeguards Rule by failing to properly protect customer data, allowing Marsh to access names, addresses, phone numbers, and account holdings and balances.
“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection,” Andrew Ceresney, director of the SEC enforcement division, said in a statement.
Morgan Stanley did not admit or deny wrongdoing.
In a statement, the New York-based company said it has changed account numbers and offered credit monitoring and identity theft protection services for affected clients. The theft did not result in fraud against any client account, it added.
Marsh accepted a related five-year securities industry ban from the SEC, the regulator said. He has said he did not offer to sell customer information to anyone.
“We appreciate the SEC taking a look at the full weight of the evidence and making an appropriate decision,” his lawyer Derrelle Janey said in an interview. He said Marsh and his wife are now raising their 6-month-old daughter.
(Reporting by Jonathan Stempel in New York; Editing by Chris Reese and Richard Chang)