The Office of the Comptroller of the Currency on Friday levied a $60 million civil money penalty against Morgan Stanley Bank, N.A., and Morgan Stanley Private Bank, N.A., for 2016 data breaches in two Wealth Management business data centers located in the U.S.
Morgan Stanley is embroiled in a class-action lawsuit over the two separate data breaches involving missing equipment that exposed clients’ personal identifiable information — including Social Security and account numbers — to third parties.
The case, brought by a retirement account client and filed in the U.S. District Court for the Southern District of New York in late August, involves an unauthorized disclosure of clients’ identity information to unknown third parties and not a breach of a computer system by a third party.
The OCC states that Morgan Stanley failed to exercise proper oversight of the 2016 decommissioning of the business data centers.
The OCC also found that Morgan Stanley failed to:
- effectively assess or address risks associated with decommissioning its hardware;
- adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance;
- and maintain appropriate inventory of customer data stored on the decommissioned hardware devices.
In 2019, the banks experienced similar vendor management control deficiencies in connection with decommissioning other network devices that also stored customer data, the OCC states.
The OCC found the noted deficiencies constitute unsafe or unsound practices and resulted in noncompliance with 12 CFR Part 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards.”
A Morgan Stanley spokesperson said Friday in a statement: “As we previously disclosed in July, we have continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused. Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information. Safeguarding our clients’ information is of paramount importance.”