Morgan Stanley agreed to pay $6.5 million as part of a settlement with six states requiring the firm to strengthen its data security after actions it took compromised the personal data of millions of customers.

Morgan Stanley Smith Barney, the wealth and asset management arm of Morgan Stanley, failed to encrypt the personal data of customers it kept stored on servers and hard drives, according to the agreement the firm reached with the attorneys general of Connecticut, Florida, Indiana, New Jersey, New York, and Vermont.

The details: In 2016, when the firm shut down two data centers, it didn’t take appropriate measures to secure the hard drives and servers. They were eventually auctioned off by movers the firm hired.

In another decommissioning by the firm, 42 servers went missing. It was discovered they potentially contained unencrypted customer data because of a flaw in the encryption software Morgan Stanley purchased. The states alleged Morgan Stanley failed to maintain adequate vendor controls and hardware inventories.

The settlement with the states follows a $35 million fine the firm received from the Securities and Exchange Commission in September 2022 in a related case. The Treasury Department’s Office of the Comptroller of the Currency fined Morgan Stanley $60 million in October 2020 regarding the same matter.

Compliance considerations: Morgan Stanley agreed to maintain a comprehensive information security program; incident response plan; and written policy that oversees the appropriate collection, use, retention, and disposal of consumers’ personal data. The firm must encrypt all personal data that is stored or transferred and keep track of where it is storing that information.

The firm must create a vendor risk assessment team to ensure that any vendors abide by its data security requirements.

“No one should have their personal information auctioned off without their knowledge because a company failed to take basic steps to erase it before selling their old computers,” said New York Attorney General Letitia James in a press release Thursday. New York will receive about $1.7 million from the settlement.

“[This] agreement requires Morgan Stanley to bolster its cybersecurity so consumers will never again have to risk their personal data unintentionally being sold at an auction,” James said. “Companies, big and small, must all take their responsibility to protect their customers’ data seriously.”

Firm response: “We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to have resolved this related investigation,” said a Morgan Stanley spokesperson in an emailed statement.