R.I.P. Data or Rip Data?
Plaintiffs filed a class-action suit against Morgan Stanley because sensitive client data was discovered on IT assets, which had been decommissioned and sold by Morgan Stanley. The suit recently settled, and the resulting agreement provides insight into the data security incident, potential legal liability, and possible preventions for such issues in the future.
During the years 2016 and 2019 Morgan Stanley disposed of equipment that potentially contained over 15 million names, account numbers, spousal information, social security numbers, home and work contact information, and more. Morgan Stanley disposed of the equipment without removing or wiping the sensitive data from the equipment, and did not monitor the work of a third-party vendor used to facilitate the sale of the equipment. A third-party vendor who had purchased some used equipment from an IT vendor reported the issue when the data was discovered.
Morgan Stanley conducted their own investigation and eventually reported the issue to the Office of the Comptroller of the Currency (“OCC”). The OCC conducted its own investigation and then directed Morgan Stanley to provide notifications to the 15 million affected individuals. The OCC also fined Morgan Stanley sixty-million dollars ($60,000,000.00) for the data security incident. Several of the affected individuals retained counsel after receiving the notice.
A subsequent class-action lawsuit was filed, where counsel alleged:
(1) negligence; (2) gross negligence; (3) deceptive acts and practices in violation of New York’s General Business Law; (4) breach of fiduciary duty; (5) unjust enrichment; and (6) breach of confidence.
The settlement establishes a sixty-million dollar ($60,000,000.00) non-reversionary fund for credit monitoring, out-of-pocket expenses, lost time, and other benefits for the affected individuals. Another key agreement requires Morgan Stanley to hire a third-party to track down, find, and acquire the missing decommissioned IT assets.
This settlement is in addition to the fine levied by the OCC, bringing Morgan Stanley’s total to one hundred and twenty million dollars ($120,000,000.00) in legal costs for mismanaging the decommission of its IT assets with sensitive data being disposed of in an unsecure manner.
The data security incident and resulting fines and settlement are key reminders for all organizations that sensitive data can live on long after the thrill of living is gone, particularly on IT assets, hardware, and IOT devices. With this in mind, all organizations should implement security policies which include:
- Reviewing, identifying, and adhering to any data destruction requirements included in statutes, regulations, or contracts;
- Identifying and tracking all assets that contain or potentially contain personal information;
- Reviewing data stored on any IT asset in connection with its disposal; and
- Disposing of all assets in a manner consistent with the data stored therein.