Attorney General Ashley Moody and five other attorneys general have reached a $6.5 million settlement with Morgan Stanley Smith Barney LLC, also known as Morgan Stanley. The agreement comes after an investigation revealed that Morgan Stanley had compromised the personal information of its customers due to negligent internal data-security practices.
The investigation found that Morgan Stanley potentially exposed the personal information of millions of consumers by failing to properly erase unencrypted data when disposing of the company's computer devices. The company hired a moving company with no experience in data-destruction services to decommission hard drives and servers containing sensitive customer information. The moving company then sold the computer equipment through internet auctions without properly monitoring the process. It was only when a downstream purchaser discovered the data and contacted the company that Morgan Stanley became aware of the problem.
Furthermore, a second incident involved the discovery of 42 missing servers during the decommissioning process, all of which potentially contained unencrypted customer information. This incident was caused by a manufacturer flaw in the encryption software.
Attorney General Ashley Moody expressed concern over the mishandling of customer data by Morgan Stanley, stating, "This company put the personal information of millions of its customers at risk through the mishandling of decommissioned devices." She added, "Now, Morgan Stanley will have to pay $6.5 million and take steps to ensure customer data is protected."
As part of the settlement, Morgan Stanley will pay $6.5 million to the states involved in the investigation, which include Florida, Connecticut, Indiana, New Jersey, New York, and Vermont. In addition to the monetary compensation, Morgan Stanley will be required to implement several provisions to strengthen the protection of personal information for its customers. These provisions include encrypting all personal information, maintaining a written policy governing the collection and disposal of personal information, employing a process to track the locations of all hardware containing personal information, maintaining a comprehensive information security program, supporting an incident response plan, and establishing a vendor risk assessment team.
The Attorney General's Office emphasized the importance of maintaining adequate data-security controls and hardware inventories, stating that if these controls had been in place, both data-security incidents could have been prevented.
The settlement with Morgan Stanley serves as a reminder to companies about the critical need to prioritize data security and protect the personal information of their customers. With the increasing frequency of data breaches and cyber attacks, it is imperative for businesses to implement robust data-security measures to safeguard sensitive information.
To read the full agreement between Attorney General Ashley Moody and Morgan Stanley, click here.
For additional details, please follow this link: https://www.myfloridalegal.com/newsrelease/attorney-general-moody-recovers-65-million-morgan-stanley-over-two-data-security