Morgan Stanley has agreed to establish a $60 million fund to settle a class-action lawsuit filed by nearly a dozen customers regarding personal data that was compromised when the bank decommissioned two wealth management centers.
The proposed settlement, filed Friday in U.S. District Court for the Southern District of New York, will allow class members to make claims for up to $10,000 each in reimbursement for out-of-pocket losses and up to four hours in attested lost time at $25 per hour. Each settlement member will also automatically receive access to at least 24 months of fraud insurance.
The lost data stems from personally identifiable information (PII) regarding approximately 15 million current and former Morgan Stanley customers that was not properly deleted from two separate legacy IT systems in 2016 and 2019. The bank sold the legacy systems with unencrypted data to third parties. It was then later informed by parties with access to the systems that customers’ PII had not been wiped before they were sold.
The data included customers’ names, addresses, account information, Social Security numbers, dates of birth, credit card numbers, and other personal information, the settlement said.
Morgan Stanley began informing its customers about the issue in July 2020.
In October 2020, the Office of the Comptroller of the Currency (OCC) fined Morgan Stanley $60 million for its failure to maintain an appropriate inventory of the customer data stored on the hardware in its 2016 decommissioning; its failure to recognize the potential risks of a data breach during the decommissioning; and its failure to properly assess the potential data breach risks incurred by using third-party subcontractors to conduct the decommissioning. The third-party threats were exacerbated by inadequate due diligence and monitoring, the OCC noted.
Both the OCC order and the class-action settlement noted Morgan Stanley has taken substantive steps to address the issue. The bank pledged to hire a third party “to continue the effort to locate and retrieve missing retired IT assets,” according to the settlement. The retrieval effort will continue for a full year from the date the settlement is approved by the court.
“We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation,” a Morgan Stanley spokesperson said.