Morgan Stanley agreed to pay $60 million in a preliminary settlement of a class-action lawsuit filed against the company on Friday, according to Reuters, for allegedly neglecting to secure customers' personal data before retiring outdated information technology.
The settlement offer awaits the approval of New York District Judge Analisa Torres.
The lawsuit was filed on behalf of around 15 million Morgan Stanley clients in response to two separate occurrences that occurred in 2016 and 2019.
Morgan Stanley decommissioned two wealth management data centres in the first incident. Before removing the unencrypted computer equipment from the centres, the bank's vendor, Triple Crown, was tasked with deleting or destroying it. Even after it had left the vendor's control, this device was later discovered to contain data.
According to Morgan Stanley, the vendor removed the devices and resold them to a third party without permission.
As part of a hardware refresh programme, the second incident entailed the replacement and removal of branch office equipment. The bank was unable to discover some of these devices, which could have retained previously deleted information on discs in an unencrypted version due to a software error.
Customers will receive a minimum of two years of fraud insurance coverage as part of the proposed settlement, as well as compensation for up to $10,000 in related out-of-pocket losses. The bank also stated that it would improve its data security procedures.
Morgan Stanley maintains that there was no wrongdoing on its part, even though it is seeking a settlement. In a move to dismiss the complaint filed in August 2021, the bank said that despite extensive investigations and ongoing surveillance over the years, it has not discovered a single instance of data misuse generated from any of its own sources.
Morgan Stanley was fined $60 million in civil penalties in October 2020 for failing to adequately supervise the decommissioning of its data centres in 2016.
The Office of the Comptroller of the Currency imposed the penalty after discovering that the bank: failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.
