Close Close
ThinkAdvisor

Regulation and Compliance > Litigation

Morgan Stanley to Pay $60M Over Data Breaches

X
Your article was successfully shared with the contacts you provided.

What You Need to Know

  • Morgan Stanley was sued in 2020 by clients over the way it handled data security breaches in 2016 and 2019.
  • The firm allegedly failed to wipe client data from computer equipment it decommissioned and resold.
  • A preliminary settlement was reached with the help of a mediator.

Morgan Stanley agreed to pay $60 million to settle a class action complaint, filed against it in 2020 by clients, over the way it handled two separate data security breaches in 2016 and 2019.

On Friday, a preliminary settlement was filed in U.S. District Court for the Southern District of New York in Manhattan saying the plaintiffs were all in favor of the settlement.

“We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation,” a Morgan Stanley spokesperson told ThinkAdvisor on Tuesday.

The settlement must still be approved by District Judge Analisa Torres before it goes forward.

Settlement Details

While continuing discovery in the case, both parties agreed to mediate the claims and engaged Diane M. Welsh as a mediator in the dispute, according to court documents.

“Through mediation and extensive arms-length negotiations over a period of five months, the Parties have reached an agreement that provides for significant monetary and equitable relief for the Settlement Class,” according to a memorandum of law in support of the plaintiffs’ unopposed motion for preliminary approval of the class action settlement.

As part of the settlement, Morgan Stanley will establish a $60 million non-reversionary settlement fund for the benefit of the settlement class and also retain a third-party firm to continue its effort to locate and retrieve missing retired IT assets, the memorandum said.

Morgan Stanley “already made substantial changes in relation to its data security practices in the wake of” the data security incidents, which the defendant “committed to maintain,” according to the memorandum.

The wirehouse also agreed to separately bear the costs of notice and administration estimated to be $7 million. The fund will be used to provide settlement class members access to a minimum of 24 months of fraud insurance services as an automatic benefit, without the need to file a claim.

Also, each class member will be able to make a claim for up to $10,000 in reimbursement for out-of-pocket losses, as well as up to four hours in attested lost time at $25 per hour as part of the settlement.

More on this topic

The Complaints

The plaintiffs had alleged in separate complaints in 2020 that the wirehouse failed to properly secure and safeguard personal identifiable information of 14 million to 15 million current and former clients or provide timely, accurate and adequate notice that clients’ information had been lost, and what types of information were unencrypted and in the possession of unknown third parties as a result.

The complaints were combined into one consolidated suit in U.S. District Court for the Southern District of New York. The last of the amended complaints was filed July 5, 2021.

The plaintiffs alleged that, in 2016, in an “attempt to save approximately $100,000 in the decommissioning of two of its data centers … Morgan Stanley made a series of reckless business decisions that ultimately resulted in the compromise of the confidential personally identifiable and financial information (“PII”) of over 14 million of its current and former clients,” according to the amended complaint.

Instead of following accepted industry standards or its internal protocols, Morgan Stanley “terminated a contract with IBM for the decommissioning, wiping, and destruction of computer equipment storing PII,” “hired a local moving company with no information technology asset disposal … experience to handle the project,” and then “failed to supervise,” the plaintiffs alleged.

“Morgan Stanley feigned shock when it learned two years later from a third party who had purchased the used Morgan Stanley equipment that he had access to sensitive Morgan Stanley data,” the complaint alleged.

“To this day, as a result of Morgan Stanley’s systemic failures and lack of inventory records, thousands of pieces of IT equipment containing unencrypted Morgan Stanley client PII remain completely unaccounted for,” according to the plaintiffs.

“Many of these devices have been offered for sale on the internet and remain in the hands of third-party purchasers who now have unfettered access to the PII of millions of Morgan Stanley’s former and current clients,” according to the complaint.

Not part of the amended complaint was a similar complaint by a retirement account client filed in the U.S. District Court for the Southern District of New York Aug. 27, 2020. That case was dismissed in September 2020, according to a court document.

(Pictured: Morgan Stanley headquarters in New York; Photo: Bloomberg)