A few days ago, a friend of mine received several letters dated June 24, 2011 from Morgan Stanley Smith Barney, where he has kept brokerage accounts for himself and his children for many years. It began with the now familiar, "we care about you" phrase:
"At Morgan Stanley Smith Barney, client satisfaction and information security are critical priorities."
Then it segues into the sickeningly familiar, "but perhaps not enough" phrase:
"We are writing to inform you of a recent security incident involving the sensitive information of certain Morgan Stanley Smith Barney account holders. Morgan Stanley was recently notified by the New York State Department of Taxation and Finance that two password-protected CD ROMs included in the package received from Morgan Stanley Smith Barney were missing from the package when it was delivered to the intended recipient within the Department. The CD ROMs included sensitive information about your account that was sent as a requirement to New York State after filing annual 1099 tax forms. The sensitive information on the password-protected CD-ROMs included names, addresses, Social Security numbers, Morgan Stanley Smith Barney account numbers and income earned on tax exempt bonds or funds you hold or held in 2010."
Melding into the "we are praying daily that this never amounts to anything, because we don't want to be sued into the Stone Age" phrase:
"While we have no evidence that your sensitive account information has been misused as a result of this incident…"
The omitted, yet operative word here is—yet.
As I said in last week's column, in 2011 breach sightings have rapidly evolved from the Flavor of the Month, to news reel of the week, to "News at Eleven." And letters like this have become so common it's easy not to take them seriously. Their seemingly white noise status has begun to afford them the same recognition as the magazine marketing material and pre-approved credit card mailers we find almost every day in our snail mail box. However, this is far from junk mail. And this letter, in particular, deserves some careful parsing and thought.
Like all these "dear Vic(tim)" letters, it begins with a statement that belies the message that follows. How critical of a priority is information security if those CD-ROMs were merely password protected, not encrypted? Is it standard operating procedure at Morgan Stanley Smith Barney not to encrypt, or is the NY State Tax Department lacking the technology to decrypt? Further, note the careful phraseology which subtly implies those CD-ROMs might have been taken by anyone involved in the transportation chain, including a NYS employee, before the package was actually delivered "to the intended recipient within the Department." Heck, maybe the dog ate 'em.
Of course the best question is why CD-ROMs were used to transmit the data in the first place. Since reporting of this kind is done routinely every year, why shouldn't there be a secure communications link between the sender and the recipient? And it would be cheaper, too—something state government really does care about at this particular moment.