Attorney General Todd Rokita obtains $690,000 settlement with Morgan Stanley over data security incidents 

INDIANA – Attorney General Todd Rokita today announced that his team has obtained $690,000 for Indiana as part of a multistate settlement with a global financial services corporation to resolve allegations of negligent internal data security practices.

Todd Rokita

“We have taken this action because companies must be held accountable for protecting Hoosiers’ data privacy in accordance with our laws,” Attorney General Rokita said. “Our team will continue standing up for hardworking families and defending their interests and rights as consumers.”

Morgan Stanley Smith Barney LLC — better known simply as Morgan Stanley — allegedly compromised the personal information of its customers with a poorly executed plan of decommissioning its computer devices and a failure to erase unencrypted data in certain of those computer devices.

As far back as 2015, Morgan Stanley failed to properly dispose of devices containing its customers’ personal information by hiring a moving company with no experience in data destruction services. Morgan Stanley failed to properly monitor the outside firm’s work — which involved decommissioning thousands of hard drives and servers containing sensitive information of millions of its customers. The computer equipment, some of which contained customer data, was sold via internet auctions. Morgan Stanley learned of problems when a downstream purchaser discovered the data and called the company.

In a second incident, a records reconciliation exercise undertaken by the company during a decommissioning process revealed that 42 servers, all potentially containing unencrypted customer information, were missing. During this process, the company learned that the local devices being decommissioned may have contained unencrypted data due to a manufacturer flaw in the encryption software.

An investigation found that Morgan Stanley failed to maintain adequate vendor controls and hardware inventories — and that had these controls been in place, both data security events could have been prevented.

Indiana is one of six states — which include Connecticut, Florida, New Jersey, New York, and Vermont — entering into agreements with Morgan Stanley. The company has agreed to pay $6.5 million in total and to adopt a series of provisions that better protect the personal information of its consumers going forward, including: 

  • Maintaining a comprehensive information security program that includes regular updates that are necessary to reasonably protect the privacy, security, and confidentiality of personal information;
  • Maintaining an incident response plan that documents incidents and actions taken in relation to the incidents;
  • Maintaining a written policy that governs the collection, use, retention, and disposal of consumers’ personal information;
  • Encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere;
  • Employing a manual process and automated tools to keep track of locations of all hardware that contains personal information;
  • Maintaining a vendor risk assessment team to assess and monitor that their vendors comply with Morgan Stanley’s data security requirements.

As part of their work protecting consumers from illicit business practices, cybersecurity threats, data privacy violations, and ID theft, Attorney General Rokita’s team has now obtained nearly $1 billion in settlements for Hoosiers.

Settlement documents are attached.