New Jersey to Receive $1.27 Million in Morgan Stanley Data Breach Settlement
New Jersey secures $1.27 million in a multistate $6.5 million settlement with Morgan Stanley Smith Barney LLC, addressing data security breaches impacting over 3.37 million individuals, including 755,592 from New Jersey.
Trenton, NJ - New Jersey's Attorney General Matthew J. Platkin, in conjunction with the Division of Consumer Affairs, announced a significant settlement with Morgan Stanley Smith Barney, LLC ("Morgan Stanley"), marking a resolution to the probing of two major data security incidents. These incidents, occurring in 2016 and 2019, jeopardized the personal data of millions, including a substantial portion of New Jersey residents.
The breaches stemmed from Morgan Stanley's engagement with external vendors for decommissioning electronic devices. This process was improperly executed, leading to potential unauthorized access to sensitive customer data. Compromised information included personal details like names, addresses, phone numbers, and crucial financial data such as account numbers and transaction details.
An investigation, involving states like New Jersey, Connecticut, Florida, Indiana, New York, and Vermont, was launched to assess Morgan Stanley's adherence to regional security and privacy laws. The findings indicated significant lapses in vendor management and data security protocols at Morgan Stanley.
Under the Assurance of Voluntary Compliance filed today, New Jersey will receive approximately $1.27 million from the overall settlement amount. This agreement also mandates Morgan Stanley to undertake rigorous measures to bolster its data security and equipment disposal practices.
“Individuals doing business with financial companies rightly expect those companies to maintain appropriate security measures and processes to prevent their personal information from falling into the wrong hands,” said Attorney General Platkin. “Security lapses that place consumer privacy at risk are unacceptable and we will continue to hold accountable companies that allow them to happen.”
Acting Director of the Division of Consumer Affairs, Cari Fais, pointed out Morgan Stanley's systemic failures in overseeing its vendors, highlighting the significant risks these lapses posed to consumer identity protection.
"Morgan Stanley’s systemic failure to properly oversee vendors responsible for the decommissioning, removal, and destruction of its devices put millions of consumers at risk of identity theft and other types of fraud," Fais commented.
The multistate investigation, initiated in July 2020, revealed two distinct incidents at Morgan Stanley. The first involved improperly decommissioned computer devices from 2016, where subcontractors inadvertently gained access to unencrypted personal data. The second incident in 2019 was linked to a software flaw that potentially left data fragments on decommissioned devices.
Investigators concluded that better vendor control and hardware inventory management could have averted these breaches. Morgan Stanley's oversight failures allowed sensitive information to fall into unauthorized hands.
The settlement's terms require Morgan Stanley to maintain a robust information security program, a comprehensive incident response plan, regular hardware inventory and classification, and stringent vendor risk assessments. Additionally, Morgan Stanley must ensure that all data disposal vendors adhere to strict security protocols and provide documented evidence of their disposal activities.
Deputy Attorney General Cody I. Valdez, under the guidance of Data Privacy & Cybersecurity Section Chief Kashif T. Chand and Assistant Section Chief Thomas Huynh, represented New Jersey in this settlement. Investigator Aziza Salikhova of the Office of Consumer Protection, Division of Consumer Affairs, led the investigation.