Morgan Stanley has agreed to a $6.5 million settlement following accusations of insecurely disposing of hardware containing unencrypted personal information, potentially exposing millions of customers. The Florida Attorney General’s Office revealed that the multinational investment bank neglected internal data security practices, hiring an inexperienced moving company for decommissioning.
This led to the sale of equipment at internet auctions without proper monitoring, exposing sensitive data. The investigation uncovered flaws in encryption software, missing servers, and inadequate vendor controls, prompting the settlement, which includes mandated security improvements, data encryption, and comprehensive information security measures.
The investigation disclosed that during the decommissioning process, Morgan Stanley failed to properly erase unencrypted personal information stored on devices, allowing the moving company to sell the computer equipment without the bank’s knowledge. Furthermore, a manufacturer flaw in encryption software led to the discovery of 42 missing servers potentially containing unencrypted customer information.
The settlement, which addresses security lapses, requires Morgan Stanley to pay $6.5 million to the states of Florida, Connecticut, Indiana, New Jersey, New York, and Vermont. Additionally, the bank is obligated to implement encryption for data at rest and in transit, establish a comprehensive data collection, use, retention, and disposal policy, and maintain an information security program, incident response plan, and vendor risk assessment team.
The agreement underscores the importance of proper data security practices, emphasizing the need for financial institutions to take measures to protect customer information during decommissioning processes.
The settlement not only addresses the financial aspect but also mandates substantial improvements in Morgan Stanley’s approach to data security, aiming to prevent future exposure of sensitive customer information through enhanced encryption and comprehensive security measures.
