Morgan Stanley Smith Barney agreed Thursday to pay six states $6.5 million to settle charges that it failed to protect customers’ personal information while shutting down two data centers in 2016.
The problem occurred when computer devices were decommissioned and resold following the closure of the data centers. Morgan Stanley contracted with a vendor to remove data from the devices. But the vendor subcontracted some of the work to an unauthorized vendor and some customer information was left on the computers, according to an agreement released by New York Attorney General Letitia James.
A second incident involved a software flaw that could have allowed unencrypted customer data to remain on devices that Morgan Stanley could not locate after they were decommissioned. The vulnerabilities involved the disposal of computer hardware rather than an external breach.
Approximately 15 million clients' details were exposed over a five-year period beginning in 2015, Bloomberg News previously reported.
An investigation by James and the other state attorneys general “determined that Morgan Stanley failed to maintain adequate vendor controls and hardware inventories, and that had these controls been in place, the data incidents could have been prevented,” the New York agreement states.
The firm notified the attorneys general on July 10, 2020, about the potential vulnerability of the client data. The settlement with New York, Connecticut, New Jersey, Vermont, Indiana and Florida concluded an ongoing investigation. The firm reached a $35 million settlement with the Securities and Exchange Commission last year over the same charges.
“No one should have their personal information auctioned off without their knowledge because a company failed to take basic steps to erase it before selling their old computers,” James said in a statement. “Today’s agreement requires Morgan Stanley to bolster its cybersecurity so consumers will never again have to risk their personal data unintentionally being sold at an auction. Companies, big and small, must all take their responsibility to protect their customers’ data seriously, and if they do not, my office will take action.”
As part of the agreement, Morgan Stanley adopted several improvements to better protect sensitive customer data, such as encrypting customers’ personal information and strengthening risk assessments of vendors.
“We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to have resolved this related investigation,” a Morgan Stanley spokesperson said in a statement.
The firm has said that it has not detected unauthorized access to or misuse of customer information.
Rajesh Markan earlier this year pleaded guilty to one count of criminal fraud related to his sale of fake investments to 10 clients totaling $2.9 million.
From building trust to steering through emotions and responding to client challenges, new advisors need human skills to shape the future of the advice industry.
"The outcome is correct, but it's disappointing that FINRA had ample opportunity to investigate the merits of clients' allegations in these claims, including the testimony in the three investor arbitrations with hearings," Jeff Erez, a plaintiff's attorney representing a large portion of the Stifel clients, said.
Chair also praised the passage of stablecoin legislation this week.
Maridea Wealth Management's deal in Chicago, Illinois is its first after securing a strategic investment in April.
Orion's Tom Wilson on delivering coordinated, high-touch service in a world where returns alone no longer set you apart.
Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.
