Attorney General William Tong along with five attorneys general announced a $6.5 million settlement with Morgan Stanley Smith Barney LLC (“Morgan Stanley”) for compromising the personal information of its customers due to negligent internal data security practices. The poorly executed plan of decommissioning its computer devices and the failure to erase unencrypted data in certain computer devices exposed millions of consumers’ personal information that were left in those devices.
Approximately 220,000 Connecticut residents were impacted. Connecticut will receive $754,000 in this settlement.“Morgan Stanley failed to employ basic data security measures when selling-off old computer devices.
Their negligence exposed personal data for hundreds of thousands of their Connecticut customers. In addition to a substantial payment, our settlement forces Morgan Stanley to commit to a series of strong data security measures to ensure these careless errors do not occur again,” said Attorney General Tong.As far back as 2015, the company failed to properly dispose of devices containing its customers’ personal information by hiring a moving company with no experience in data destruction services to decommission thousands of hard drives and servers containing sensitive information of millions of its customers. The company failed to properly monitor the moving company’s work. The computer equipment was sold via internet auctions, some of which contained customer data. The company was not alerted to the problem until a downstream purchaser discovered the data and called the company.In a second incident, a records reconciliation exercise undertaken by the company during a decommissioning process revealed that 42 servers, all potentially containing unencrypted customer information, were missing. During this process, the company learned that the local devices being decommissioned may have contained unencrypted data due to a manufacturer flaw in the encryption software.The investigation finds that Morgan Stanley had failed to maintain adequate vendor controls and hardware inventories, and that had these controls been in place, both data security events could have been prevented.
As a result of today’s agreement, Morgan Stanley has agreed to pay $6.5 million and to adopt a series of provisions that better protects the personal information of its consumers going forward, including
:• Maintaining a comprehensive information security program that includes regular updates that are necessary to reasonably protect the privacy, security, and confidentiality of personal information;
• Maintaining an incident response plan that documents incidents and actions taken in relation to the incidents;
• Maintaining a written policy that governs the collection, use, retention, and disposal of consumers’ personal information;
• Encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere;
• Employing a manual process and automated tools to keep track of locations of all hardware that contains personal information
;• Maintaining a vendor risk assessment team to assess and monitor that their vendors are in compliance with Morgan Stanley’s data security requirements.
Joining Attorney General Tong in agreement are the attorneys general of New York, Florida, Indiana, New Jersey, and Vermont.
Assistant Attorney General Kileigh Nassau and Deputy Associate Attorney General Michele Lucan, Chief of the Privacy Section assisted the Attorney General in this matter.
Original source can be found here.