Attorney General Moody Recovers $6.5 Million from Morgan Stanley Over Two Data-Security Incidents

TALLAHASSEE, Fla.—Attorney General Ashley Moody, along with five other attorneys general, secured a $6.5 million agreement with Morgan Stanley Smith Barney LLC, also known as Morgan Stanley. The action comes after an investigation found that Morgan Stanley compromised the personal information of its customers due to negligent internal data-security practices. Morgan Stanley potentially exposed millions of consumers’ personal information through a failure to properly erase unencrypted data when disposing of the company’s computer devices.

Attorney General Ashley Moody said, “This company put the personal information of millions of its customers at risk through the mishandling of decommissioned devices. Now, Morgan Stanley will have to pay $6.5 million and take steps to ensure customer data is protected.”

An investigation into Morgan Stanley uncovered that the company failed to properly dispose of devices containing its customers’ personal information by hiring a moving company with no experience in data-destruction services to decommission thousands of hard drives and servers containing sensitive information of millions of its customers. Morgan Stanley failed to properly monitor the moving company that used internet auctions to sell the computer equipment. Morgan Stanley did not know about the problem until a downstream purchaser discovered the data and contacted the company.

In a second incident, Morgan Stanley discovered 42 missing servers during a decommissioning process, all potentially containing unencrypted customer information. During this process, the company learned that local devices being decommissioned possibly contained unencrypted data due to a manufacturer flaw in the encryption software.

The investigation found that Morgan Stanley failed to maintain adequate vendor controls and hardware inventories, and that if these controls were in place, both data-security events could have been prevented. 
 
As a result of today’s action, Morgan Stanley will pay $6.5 million to the states. In addition, Morgan Stanley must adopt the following provisions to strengthen personal information protection for its consumers: 

• Encrypt all personal information, whether stored or transmitted, between documents, databases or elsewhere;
• Maintain a written policy that governs the collection, use, retention and disposal of consumers’ personal information;
• Employ a manual process and automated tools to keep track of locations of all hardware that contains personal information;
• Maintain a comprehensive information security program that includes regular updates that are necessary to reasonably protect the privacy, security and confidentiality of personal information;
• Support an incident response plan that documents incidents and actions taken in relation to the incidents; and
• Maintain a vendor risk assessment team to assess and monitor that their vendors are in compliance with Morgan Stanley’s data-security requirements.

In addition to Florida, represented by Consumer Protection Division Multistate and Privacy Bureau Chief Patrice Malloy and Senior Assistant Attorney General Diane Oates, the following states joined the action: Connecticut, Indiana, New Jersey, New York and Vermont.

To view a copy of the agreement, click here.

# # #