Close Close
Sign In
Newsletters
Popular Financial Topics Discover relevant content from across the suite of ALM legal publications From the Industry More content from ThinkAdvisor and select sponsors Investment Advisor Issue Gallery Read digital editions of Investment Advisor Magazine Tax Facts Get clear, current, and reliable answers to pressing tax questions
Luminaries Awards
Podcast Center Video Center Webcasts Resource Center Events
About ThinkAdvisor Contact Us Advertise With Us Asset & Logo Licensing Sitemap Terms of Service Privacy Policy Copyright © 2024 ALM Global, LLC. All Rights Reserved.
ThinkAdvisor
Morgan Stanley headquarters in New York

Regulation and Compliance > State Regulation

Morgan Stanley to Pay 6 States $6.5M Over Client Data Security

By Melanie Waddell

X
Your article was successfully shared with the contacts you provided.

New York Attorney General Letitia James and a coalition of five attorneys general reached a $6.5 million agreement Thursday with Morgan Stanley Smith Barney LLC for compromising the personal information of millions of customers nationwide.

According to James’ office, Morgan Stanley “failed to decommission its computers and erase unencrypted data in certain computer devices that were later auctioned while still containing consumers’ personal information, including data belonging to 1.1 million New Yorkers.”

New York, according to James, will receive $1,658,047 from the settlement and Morgan Stanley will be required to strengthen its data security measures.

The other states are Connecticut, Florida, Indiana, New Jersey and Vermont.

“No one should have their personal information auctioned off without their knowledge because a company failed to take basic steps to erase it before selling their old computers,” James said in a statement.

“Today’s agreement requires Morgan Stanley to bolster its cybersecurity so consumers will never again have to risk their personal data unintentionally being sold at an auction,” James said. “Companies, big and small, must all take their responsibility to protect their customers’ data seriously, and if they do not, my office will take action.”

The two data incidents were reported in July 2020.

Morgan Stanley, according to James, “hired a moving company with no experience in data destruction services to decommission thousands of hard drives and servers containing sensitive information of millions of its customers.”

Morgan Stanley then “failed to properly monitor the moving company’s work, and its computer equipment, some of which still contained private consumer information, was then sold at auction.”

Morgan Stanley was only made aware of the problem when a purchaser discovered the data and called the company, according to James’ office.

In a second incident, Morgan Stanley discovered during a decommissioning process that 42 servers, all potentially containing unencrypted customer information, were missing.

“During this process, the company learned that the local devices being decommissioned may have contained unencrypted data due to a manufacturer flaw in the encryption software,” the order states.

The multistate investigation found that Morgan Stanley “failed to maintain adequate vendor controls and hardware inventories, and that had these controls been in place, both data security events could have been prevented,” James said.

Morgan Stanley said in a statement that the firm has “previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to have resolved this related investigation.”

Melanie Waddell

@Think_MelanieW

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.