On Friday, Morgan Stanley agreed to pay $60 million as a preliminary settlement of a class action lawsuit brought against it for allegedly failing to secure customers’ personal data before retiring old information technology, Reuters reported. The settlement offer awaits the approval of New York District Judge Analisa Torres.
The lawsuit was filed on behalf of roughly 15 million Morgan Stanley customers pursuant to two incidents that occurred in 2016 and 2019 respectively.
The first incident involved Morgan Stanley’s decommissioning of two wealth management data centers. The bank’s vendor, Triple Crown, was entrusted with wiping or destroying the unencrypted computer equipment before removing it from the centers. This equipment was later found to have contained data even after it left the vendor’s control. According to Morgan Stanley, the vendor removed the devices and resold them to a third party without authorisation.
The second incident involved the replacement and removal of branch office equipment as part of a hardware refresh program. The bank was unable to locate some of these devices, which—owing to a software flaw—could have contained previously deleted information on the disks in unencrypted form.
Under the proposed settlement, customers are entitled to a minimum of two years of fraud insurance coverage and can also apply for reimbursement of up to $10,000 in related out-of-pocket losses. The bank has also made assurances that it would upgrade its data security practices.
Although it is seeking to settle, Morgan Stanley maintains that there was no wrong-doing on its end. In August 2021, in its motion to dismiss the lawsuit, the bank argued that despite in-depth investigations and continual monitoring over the years, it had not become aware of a single instance of any misuse of data derived from any of its own sources.
In October 2020, Morgan Stanley incurred a $60 million civil fine for failing to properly monitor the 2016 decommissioning of its data centers. While imposing the penalty, the Office of the Comptroller of the Currency found that the bank:
failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.