Data breaches do not necessarily stem from a malicious actor or intrusions on a company network, as evidenced by Morgan Stanley’s recent $60‑million settlement with the Office of the Comptroller of the Currency for failing to adequately protect customer data when decommissioning two data centers. This hefty penalty should serve as a significant warning to companies to revisit important aspects of risk management – their asset disposal and vendor management programs. We detail the bank’s alleged failures and the settlement and, with input from Robinson & Cole partner Linn Freedman and Sentinel co-founder and strategy VP Aaron Weller, offer insight on key aspects of an effective data destruction program. See our two-part series on safeguards for proper disposal of hardware: “Risks and Examiner Expectations” (Feb. 26, 2020); and “Effective Inventories, Policies and Due Diligence” (Mar. 4, 2020).