Plaintiffs allege that in two separate incidents in 2016 and 2019, Morgan Stanley failed to properly dispose of retired IT equipment containing the personal information of over 15 million of its current and former clients. This unencrypted equipment was then re-sold, without being properly wiped of data to unauthorized third parties. The first breach came to light in 2017 when an anonymous tipster said he had bought used IT equipment from an internet vendor and had access to Morgan Stanley data. The data included customers’ names, addresses, Social Security numbers, dates of birth, credit card numbers, and other sensitive personal information, the settlement said.
Poor Data Governance
In 2020, after an investigation, the Office of Comptroller of Currency directed Morgan Stanley to provide notice of the data security Incidents to its potentially affected current and former clients, which the bank began in July, 2020. The action by the OCC resulted in a consent order stating that Morgan Stanley, “failed to effectively assess or address the risks associated with the decommissioning of its hardware.” The regulator also asserted that Morgan Stanley had inadequate data governance and monitoring procedures. The bank also was forced to pay a $60 million fine as part of the enforcement action.
If approved, the additional $60 million fund will provide for individuals affected by the breach to make claims for up to $10,000 each in out-of-pocket expenses and lost time repairing the damage. Claimants will also get access to at least two years of fraud insurance services. U.S. District Judge Analisa Torres must sign off on the agreement before it can take effect.
“We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation,” the bank said in a statement Monday. However, the bank denied wrongdoing in agreeing to settle.
The agreement acknowledged Morgan Stanley’s “substantial” effort to improve its data security environment. As part of the settlement the bank also agreed to hire an outside firm to continue efforts to locate and retrieve missing retired IT assets for at least another year.
Settlement class members will have ninety days after they are notified by mail to submit their claim form to the settlement administrator, either by mail or online. 
Joseph McCafferty is editor & publisher of Compliance Chief 360°