Back in January 2015, Morgan Stanley disclosed an insider breach (previous coverage here and here). It appears that the Federal Trade Commission opened an investigation into the breach under Section 5 of the FTC Act, but decided not to pursue any enforcement action.
In a closing letter to Morgan Stanley’s counsel, Maneesha Mithal, Associate Director of the Division of Privacy and Identity Protection at FTC explains why the FTC decided to close the investigation, but noted that closing the investigation should not be construed as a determination that there was no violation of Section 5.
The letter may be instructive, as it suggests that if an entity has appropriate policies in place, but there’s a failure due to “human error,” then the FTC will not necessarily pursue a case. In this case, the access controls for one narrow set of reports was configured improperly and Morgan Stanley corrected the problem as soon as they become aware of it.
So here we have a situation where there was a risk of significant injury to consumers that they could not reasonably avoid. Whether the risk was offset by any benefits, well, I don’t know how the FTC calculates that in this case. But it looks like what saved Morgan Stanley was it was able to show the FTC its policies and all the ways it had attempted to prevent the very problem that occurred.