Morgan Stanley agrees to pay $60 million for litigation
The American multinational investment bank and financial services company settles data breach lawsuit
trueasdfstory
Morgan Stanley agrees to pay $60 million for litigation The American multinational investment bank and financial services company settles data breach lawsuit Morgan Stanley has agreed to pay $60 million as a preliminary settlement of a class-action lawsuit. The lawsuit was brought against it for allegedly failing to secure customers' personal data before retiring old...
Morgan Stanley agrees to pay $60 million for litigation
The American multinational investment bank and financial services company settles data breach lawsuit
Morgan Stanley has agreed to pay $60 million as a preliminary settlement of a class-action lawsuit. The lawsuit was brought against it for allegedly failing to secure customers' personal data before retiring old information technology.
The settlement offer awaits the approval of New York District Judge Analisa Torres.
The lawsuit was filed on behalf of about 15 million Morgan Stanley customers pursuant to two incidents that occurred in 2016 and 2019.
The first incident involved Morgan Stanley's decommissioning of two wealth management data centers. The bank's vendor, Triple Crown, was entrusted with wiping or destroying the unencrypted computer equipment before removing it from the centers.
It was later discovered that the equipment contained data even after it had left the vendor's control. According to Morgan Stanley, the vendor removed the devices and resold them to a third party without authorization.
The second incident involved the replacement and removal of branch office equipment as part of a hardware refresh program. The bank was unable to locate some of these devices, which owing to a software flaw could have contained previously deleted information on the disks in unencrypted form.
Under the proposed settlement, customers were entitled to a minimum of two years of fraud insurance coverage and they could also apply for reimbursement of up to $10,000 in related out-of-pocket losses. The bank also made assurances that it would upgrade its data security practices.
Even while seeking to settle the lawsuit, Morgan Stanley maintained there was no wrong-doing on its end. In its motion to dismiss the lawsuit, in August 2021, the bank argued that despite in-depth investigations and continual monitoring over the years, it had not become aware of a single instance of misuse of data derived from any of its own sources.
In 2020, the bank had incurred a $60 million civil fine for failing to properly monitor 2016 decommissioning of its data centers.
While imposing the penalty, the Office of the Comptroller of the Currency found that the bank had failed to effectively assess or address risks associated with decommissioning its hardware.
It had failed to adequately assess the risk of sub-contracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance. The bank had also failed to maintain an appropriate inventory of customer data stored on the decommissioned hardware devices.