Morgan Stanley will be settling its data security lawsuit filed by its customers by agreeing to pay $60 million. The complainants said the investment banking company failed to properly pull out some of its outdated information technology, and this led for their personal data to be exposed.
According to Reuters, the proposed initial settlement of the class action was filed at a Manhattan federal court on Friday, Dec. 31, on behalf of around 15 million customers, but it still needs to be approved by U.S. District Judge Analisa Torres.
For the settlement, each of the customers can apply for a repayment of up to $10,000 in out-of-pocket losses. In addition, they can also receive at least two years of fraud insurance coverage.
Then again, while it has agreed to resolve the case through settlement, Morgan Stanley reportedly denied any wrongdoing. In the settlement documents, it was added that the company has made considerable improvements to its data security practices through upgrading them.
The lawsuit was filed by customers after accusing Morgan Stanley of its failure to scrap two wealth management data centers in 2016 before the unencrypted equipment was resold to unauthorized third parties. They said that the tool was sold when customer data was still in it; thus, their personal information was exposed.
They further claimed that some of the old servers that contain data of customers have gone missing after the bank moved them to an outside vendor in 2019. Court documents showed that Morgan Stanley recovered the servers later.
The company agreed to pay a $60 million civil fine to settle the claims in a separate class-action suit from the U.S. Office of the Comptroller of the Currency regarding the accusations that its data security practices were not safe in addition to the mentioned incidents.
Meanwhile, an executive from a cybersecurity firm said the incidents at Morgan Stanley are preventable if they will work with NAID AAA certified e-waste recyclers and IT asset disposition companies or ITAD. They also need to communicate with vendors to make sure that all data re totally destroyed.
“This is a classic and textbook example of what not to do. With the current massive increases in liability, there is a huge storm of problems on the horizon for all businesses that mismanage customer information that is stored digitally,” John Shegerian, chairman and chief executive officer at ERI, the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the US, said in a press release. “What happened to Morgan Stanley was totally avoidable.”