Attorney General James and Multistate Coalition Secure $6.5 Million from Morgan Stanley for Failing to Protect Customer Data

NEW YORK – New York Attorney General Letitia James and a coalition of five attorneys general today reached a $6.5 million agreement with global financial services firm Morgan Stanley Smith Barney LLC (Morgan Stanley) for compromising the personal information of millions of customers nationwide. Morgan Stanley failed to decommission its computers and erase unencrypted data in certain computer devices that were later auctioned while still containing consumers’ personal information, including data belonging to 1.1 million New Yorkers. New York will receive $1,658,047 from today’s settlement and Morgan Stanley will be required to strengthen its data security measures.

“No one should have their personal information auctioned off without their knowledge because a company failed to take basic steps to erase it before selling their old computers,” said Attorney General James. “Today’s agreement requires Morgan Stanley to bolster its cybersecurity so consumers will never again have to risk their personal data unintentionally being sold at an auction. Companies, big and small, must all take their responsibility to protect their customers’ data seriously, and if they do not, my office will take action.”

Morgan Stanley hired a moving company with no experience in data destruction services to decommission thousands of hard drives and servers containing sensitive information of millions of its customers. Morgan Stanley failed to properly monitor the moving company’s work, and its computer equipment, some of which still contained private consumer information, was then sold at auction. Morgan Stanley was only made aware of the problem when a purchaser discovered the data and called the company.

In a second incident, Morgan Stanley discovered during a decommissioning process that 42 servers, all potentially containing unencrypted customer information, were missing. During this process, the company learned that the local devices being decommissioned may have contained unencrypted data due to a manufacturer flaw in the encryption software. The multistate investigation found that Morgan Stanley failed to maintain adequate vendor controls and hardware inventories, and that had these controls been in place, both data security events could have been prevented.

As a result of today’s agreement, Morgan Stanley has agreed to pay a $6.5 million fine and to adopt a series of provisions that better protects the personal information of its consumers going forward, including: 

• Maintaining a comprehensive information security program that includes regular updates that are necessary to reasonably protect the privacy, security, and confidentiality of personal information;
• Maintaining an incident response plan that documents incidents and responses;
• Maintaining a written policy that governs the collection, use, retention, and disposal of consumers’ personal information;
• Encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere;
• Employing a manual process and automated tools to keep track of the locations of all hardware that contain personal information; and
• Maintaining a vendor risk assessment team to assess and ensure that vendors are in compliance with Morgan Stanley’s data security requirements.

Today’s agreement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for their poor data security practices. Last month, Attorney General James and a multistate coalition secured $49.5 million from cloud company Blackbaud for a 2020 data breach exposing the data of thousands of users. In September, Attorney General James reached an agreement with Marymount Manhattan College to invest $3.5 million to protect students’ online data. This past May, Attorney General James secured $300,000 from Sports Warehouse for failing to protect the data of 2.5 million customers. Also in May, Attorney General James recouped $550,000 from a medical management company for failing to protect patient data. In April, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In October 2022, Attorney General James announced a $1.9 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of millions of consumers. In June 2022, Attorney General James secured $400,000 from Wegmans and required the retailer to improve data storage security after a data breach exposed consumers’ personal information.

Joining Attorney General James in today’s agreement are the attorneys general of Connecticut, Florida, Indiana, New Jersey, and Vermont.

This matter was handled by Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.