Yeah, but they don't have millions of dollars available and they don't store personal information of millions of people. Morgan Stanley is and was clearly able to afford this license and if you need to handle data this sensitive, you must meet the necessary precautions.

Yes what they have should probably be fancier. I don't think this argues against my point?

Yeah 2005 for FDE would be pretty early adopter territory. On the Mac side Apple launched FileVault version 1 with 10.3 in 2003, but that only encrypted user home directories (IIRC it effectively was an attempt at transparently running a home directory off an encrypted disk image). Actual FDE came with FileVault 2 and 10.7 Lion, which wasn't until 2011.

Though at the same time while we've gotten used to banks lagging horribly on tech, given their resources and the sensitivity of the information they deal with an argument can be made that they should be leading not lagging and that cost cutting and lack of leadership interest aren't great excuses for delays. I do think by 2015 yeah that was getting kind of bad. On the other hand, the penalty wasn't much ($35m in 2022 would be worth a lot less to them working back 7 years). It might still have been cheaper to setup FDE back then. Optimistically, there may be Morgan Stanley clients well off enough to mount real private lawsuits or at least take quite a lot of money elsewhere if they're irritated enough, so while this penalty alone might not be much of a lesson about PII perhaps they'll still come to regret it a little :\.

Yeah, MS was ultra behind. Scramdisk came out in 1998 or 99 as I recall.

I wasn't working in IT so I have no idea what corporate policy was like at the time, but it was highly recommended in hacker circles. It can't have been that hard.

Yeah I got into it early via Truecrypt and dmcrypt in linux.