Press Releases
11/16/2023
Legal professional Basic Tong Broadcasts $6.5 Million Settlement with Morgan Stanley for Two Information Safety Incidents
Hartford, CT) — Legal professional Basic William Tong together with 5 attorneys common right now introduced a $6.5 million settlement with Morgan Stanley Smith Barney LLC (“Morgan Stanley”) for compromising the private info of its prospects as a consequence of negligent inside information safety practices. The poorly executed plan of decommissioning its pc gadgets and the failure to erase unencrypted information in sure pc gadgets uncovered tens of millions of shoppers’ private info that had been left in these gadgets.
Roughly 220,000 Connecticut residents had been impacted. Connecticut will obtain $754,000 on this settlement.
“Morgan Stanley didn’t make use of primary information safety measures when selling-off previous pc gadgets. Their negligence uncovered private information for lots of of 1000’s of their Connecticut prospects. Along with a considerable cost, our settlement right now forces Morgan Stanley to decide to a collection of sturdy information safety measures to make sure these careless errors don’t happen once more,” stated Legal professional Basic Tong.
Way back to 2015, the corporate didn’t correctly eliminate gadgets containing its prospects’ private info by hiring a shifting firm with no expertise in information destruction companies to decommission 1000’s of arduous drives and servers containing delicate info of tens of millions of its prospects. The corporate didn’t correctly monitor the shifting firm’s work. The pc tools was offered by way of web auctions, a few of which contained buyer information. The corporate was not alerted to the issue till a downstream purchaser found the information and referred to as the corporate.
In a second incident, a information reconciliation train undertaken by the corporate throughout a decommissioning course of revealed that 42 servers, all doubtlessly containing unencrypted buyer info, had been lacking. Throughout this course of, the corporate discovered that the native gadgets being decommissioned could have contained unencrypted information as a consequence of a producer flaw within the encryption software program.
The investigation finds that Morgan Stanley had failed to keep up satisfactory vendor controls and {hardware} inventories, and that had these controls been in place, each information safety occasions might have been prevented.
On account of right now’s settlement, Morgan Stanley has agreed to pay $6.5 million and to undertake a collection of provisions that higher protects the private info of its shoppers going ahead, together with:
• Sustaining a complete info safety program that features common updates which might be essential to moderately shield the privateness, safety, and confidentiality of non-public info;
• Sustaining an incident response plan that paperwork incidents and actions taken in relation to the incidents;
• Sustaining a written coverage that governs the gathering, use, retention, and disposal of shoppers’ private info;
• Encrypting all private info, whether or not saved or transmitted, between paperwork, databases, or elsewhere;
• Using a guide course of and automatic instruments to maintain observe of areas of all {hardware} that comprises private info;
• Sustaining a vendor danger evaluation group to evaluate and monitor that their distributors are in compliance with Morgan Stanley’s information safety necessities.
Becoming a member of Legal professional Basic Tong in right now’s settlement are the attorneys common of New York, Florida, Indiana, New Jersey, and Vermont.
Assistant Legal professional Basic Kileigh Nassau and Deputy Affiliate Legal professional Basic Michele Lucan, Chief of the Privateness Part assisted the Legal professional Basic on this matter.
- Twitter: @AGWilliamTong
- Fb: CT Legal professional Basic
Media Contact:
Elizabeth Benton
elizabeth.benton@ct.gov
Shopper Inquiries:
860-808-5318
lawyer.common@ct.gov
