New Jersey to receive $1.27M in multistate settlement with Morgan Stanley over data security incidents that compromised personal information of millions of individuals nationwide

NEW JERSEY – Attorney General Matthew J. Platkin and the Division of Consumer Affairs announced Thursday that New Jersey has entered into an overall $6.5 million multistate settlement with Morgan Stanley Smith Barney, LLC (“Morgan Stanley”) that resolves the states’ investigation into two data security incidents that compromised the personal information of more than 3.37 million individuals nationwide, including 755,592 New Jersey residents.

Allegedly precipitated by Morgan Stanley’s hiring of outside vendors that improperly decommissioned thousands of electronic devices in 2016 and 2019, the data security incidents resulted in unauthorized third parties having the ability to access devices containing customers’ personal information – including names, addresses, phone numbers, account names, and numbers for Morgan Stanley accounts.

The third parties also had access to customers’ linked bank accounts, Social Security numbers, birthdates, asset values, holdings data, and securities transaction information.

Attorneys General in New Jersey, Connecticut, Florida, Indiana, New York, and Vermont commenced an investigation into the incidents to determine if Morgan Stanley’s conduct violated the states’ security, privacy, and consumer protection laws.

Under an Assurance of Voluntary Compliance (“AVC”) filed with the Division of Consumer Affairs today, New Jersey is to receive approximately $1.27 million of the overall Morgan Stanley settlement payout.

In addition to paying New Jersey and the other affected states, the settlement requires that Morgan Stanley take multiple steps to strengthen its data security and disposal procedures.

“Individuals doing business with financial companies rightly expect those companies to maintain appropriate security measures and processes to prevent their personal information from falling into the wrong hands,” Platkin said. “Security lapses that place consumer privacy at risk are unacceptable and we will continue to hold accountable companies that allow them to happen.”

“Companies have a duty under our laws to protect consumers’ sensitive personal information and maintain proper oversight of devices that store such data,” said Cari Fais, Acting Director of the Division of Consumer Affairs. “Morgan Stanley’s systemic failure to properly oversee vendors responsible for the decommissioning, removal, and destruction of its devices put millions of consumers at risk of identity theft and other types of fraud. This settlement sends a clear message that security lapses of that magnitude come with significant consequences.”

The multistate investigation was launched in July 2020 after Morgan Stanley notified the Attorneys General of two data security incidents:

• The first incident involved computer devices that were decommissioned and resold in connection with the closing of two data centers in 2016. While Morgan Stanley had contracted with a vendor to remove its data from the devices, it subsequently learned that the vendor subcontracted certain relevant services to an unauthorized entity, and that certain devices still contained some unencrypted personal information.

• The second incident involved a software flaw that could have resulted in unencrypted data fragments remaining on the affected devices that Morgan Stanley was unable to locate following a decommissioning event; the data fragments may have remained on the affected devices as a result of a manufacturer flaw in encryption software.

The investigation determined that Morgan Stanley failed to maintain adequate vendor controls and hardware inventories, and that, had these controls been in place, the data incidents could have been prevented.

Specifically, the states found that Morgan Stanley failed to confirm that the vendors were operating in compliance with their contractual obligations and failed to review documentation provided by vendors related to device decommissioning. These failures resulted in unauthorized third parties receiving devices containing personal information that, in some cases, had no restrictions to access.

Morgan Stanley is required under the settlement to maintain appropriate security measures and processes to help prevent these types of incidents from occurring in the future.

Those measures and processes include:

• maintaining a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected directly or indirectly by Morgan Stanley;
• maintaining a comprehensive written incident response plan that requires Morgan Stanley to investigate data security incidents that are reasonably suspected to involve personal information;
• employing manual processes and, where practicable, automated tools to regularly inventory, classify, and issue reports on all hardware containing consumer personal information;
• maintaining and regularly updating an inventory of all active vendors and a copy of active vendor contracts, including maintaining a risk rating protocol for evaluating its vendors;
• in all contracts entered into after the effective date of the AVC, requiring vendors that Morgan Stanley engages to dispose of consumer personal information (“Disposal Vendors”) to implement specific data security requirements for protecting that information, in particular by contractually requiring Disposal Vendors to take reasonable measures to securely dispose of such information, and by contractually requiring them to appropriately document and provide Morgan Stanley with receipt of its disposal activities; and
• requiring that Disposal Vendors agree to flow-down Morgan Stanley’s security requirements to subcontractors.