DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

States settle with Morgan Stanley for $6.5 million over data security incidents

Posted on November 17, 2023 by Dissent

Note: The incidents that resulted in this litigation occurred in 2016 and 2019, and resulted in other litigation and enforcement actions as well, including a $60 million fine by the Office of the Comptroller of the Currency, a $35 million fine by the SEC, and another $60 million settlement in a consumer lawsuit — DataBreaches.

The following is a press release from the Florida Attorney General’s Office:

Attorney General Ashley Moody, along with five other attorneys general, secured a $6.5 million agreement with Morgan Stanley Smith Barney LLC, also known as Morgan Stanley. The action comes after an investigation found that Morgan Stanley compromised the personal information of its customers due to negligent internal data-security practices. Morgan Stanley potentially exposed millions of consumers’ personal information through a failure to properly erase unencrypted data when disposing of the company’s computer devices.

Attorney General Ashley Moody said, “This company put the personal information of millions of its customers at risk through the mishandling of decommissioned devices. Now, Morgan Stanley will have to pay $6.5 million and take steps to ensure customer data is protected.”

An investigation into Morgan Stanley uncovered that the company failed to properly dispose of devices containing its customers’ personal information by hiring a moving company with no experience in data-destruction services to decommission thousands of hard drives and servers containing sensitive information of millions of its customers. Morgan Stanley failed to properly monitor the moving company that used internet auctions to sell the computer equipment. Morgan Stanley did not know about the problem until a downstream purchaser discovered the data and contacted the company.

In a second incident, Morgan Stanley discovered 42 missing servers during a decommissioning process, all potentially containing unencrypted customer information. During this process, the company learned that local devices being decommissioned possibly contained unencrypted data due to a manufacturer flaw in the encryption software.

The investigation found that Morgan Stanley failed to maintain adequate vendor controls and hardware inventories, and that if these controls were in place, both data-security events could have been prevented.

As a result of today’s action, Morgan Stanley will pay $6.5 million to the states. In addition, Morgan Stanley must adopt the following provisions to strengthen personal information protection for its consumers:

    • Encrypt all personal information, whether stored or transmitted, between documents, databases or elsewhere;
    • Maintain a written policy that governs the collection, use, retention and disposal of consumers’ personal information;
    • Employ a manual process and automated tools to keep track of locations of all hardware that contains personal information;
    • Maintain a comprehensive information security program that includes regular updates that are necessary to reasonably protect the privacy, security and confidentiality of personal information;
    • Support an incident response plan that documents incidents and actions taken in relation to the incidents; and
    • Maintain a vendor risk assessment team to assess and monitor that their vendors are in compliance with Morgan Stanley’s data-security requirements.

In addition to Florida, represented by Consumer Protection Division Multistate and Privacy Bureau Chief Patrice Malloy and Senior Assistant Attorney General Diane Oates, the following states joined the action: Connecticut, Indiana, New Jersey, New York and Vermont. To view a copy of the agreement, click here.

Source: MyFloridaLegal.com

Category: Breach IncidentsCommentaries and AnalysesExposureFinancial SectorOf NoteState/LocalU.S.

Post navigation

← CISA Releases The Mitigation Guide: Healthcare and Public Health (HPH) Sector
Australian Privacy Regulator Sues in MedLab Pathology Data Breach Case →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.
  • Websites selling hacking tools to cybercriminals seized
  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database
  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.