Financial institution Morgan Stanley recently told customers an ITAD vendor’s mistakes may have left personal information susceptible to misuse. Multiple clients have filed suit against the investment firm.
Morgan Stanley on July 10 wrote to clients disclosing “potential data security incidents” related to their personal information. The incidents occurred during multiple ITAD processes over the past four years, according to the letter.
“In 2016, Morgan Stanley closed two data centers and decommissioned the computer equipment in both locations,” the company wrote. “As is customary, we contracted with a vendor to remove the data from the devices. We subsequently learned that certain devices believed to have been wiped of all information still contained some unencrypted data.”
In an incident in 2019, another ITAD project involved retiring and replacing computer servers in multiple local branch offices, according to a separate notification the company issued to the Iowa Attorney General’s Office. These retired servers may have stored personal information.
“During a recent inventory, we were unable to locate a small number of those devices,” wrote Gerard Brady, chief information security officer for Morgan Stanley. “The manufacturer subsequently informed us of a software flaw that could have resulted in small amounts of previously deleted data remaining on the disks in unencrypted form.”
Morgan Stanley will pay for two years of credit monitoring for customers whose data may have been breached, according to the notifications. The company will also pay for free “identity restoration” services if a client’s information is found to be compromised.
In a statement to E-Scrap News, a Morgan Stanley spokesperson said company officials have “continuously monitored the situation and have not detected any unauthorized activity related to the matter, nor access to or misuse of personal client data.”
In both instances, Morgan Stanley “investigated the disposition and handling of the devices, and worked with outside technical experts to understand any potential risks to customer data in light of the technical characteristics and configuration of each of the relevant devices,” according to the notification to the Iowa Attorney General.
Morgan Stanley did not name the contracted processor that handled the decommissioning events in question. According to a report in AdvisorHub that cited an unnamed source, Morgan Stanley is “considering appropriate legal action against the firm hired to scrub the data.”
The data security incidents have so far spurred two class action lawsuits against Morgan Stanley on behalf of clients concerned about their personally identifiable information being breached. Filed on July 29 and July 31 in the U.S. District Court for the Southern District of New York, the lawsuits allege negligence, invasion of privacy and unjust enrichment for failing to properly protect clients’ information.
The personal information of clients was compromised due to Morgan Stanley’s “negligent and/or careless acts and omissions and the failure to protect customers’ data,” according to the July 31 lawsuit. “In addition to Morgan Stanley’s failure to prevent the data breach, defendant failed to detect the data breach for years, and when they did discover the data breach, it took them over a year, possibly longer, to report it to the affected individuals and the states’ attorneys general.”
The lawsuits ask the court to compel Morgan Stanley to use “appropriate cyber security methods and policies with respect to [personally identifiable information] collection, storage, protection and disposal,” among other actions.
Morgan Stanley has not filed a response in court. The company declined to comment to E-Scrap News on the legal actions.
Industry responds with takeaways and lessons
The case has generated interest within the ITAD and data security fields, specifically as an example highlighting the importance of proper data management practices.
Kyle Marks, CEO of Retire-IT, wrote that the plaintiffs in the lawsuits will be eager to demonstrate that Morgan Stanley ignored certain obligations. And they’ll be seeking to bring to light more specifics about the data security incidents.
“Naturally, we should expect plaintiffs to ask, how do we know only a ‘small’ number of servers is missing?” wrote Marks, whose company connects ITAD clients with processors. Marks frequently writes about concerns over data security practices within the ITAD sector.
Bob Johnson of the National Association for Information Destruction (NAID) wrote that the Morgan Stanley case highlights the risk for all ITAD clients of past careless asset disposal practices. NAID provides certification for data destruction firms.
“There is no statute of limitation on future data breaches,” Johnson wrote. “If a hard drive turns up five or 10 years down the road with personal information on it, it is still a data breach plain and simple. Ignoring missing or improperly wiped electronic media today simply means there are a bunch of time bombs floating around.”
He commended Morgan Stanley for disclosing the data breach, noting that the cost of not reporting a discovered breach can be far higher than doing so. And he offered some takeaways for companies based on the Morgan Stanley situation.
“Going forward, organizations need to do better,” Johnson wrote. “They need to be sure 1) they are accounting for IT equipment from the moment it is acquired to the point it is finally disposed, and, 2) elevate the selection criteria, operating criteria, monitoring procedures, and contracts of IT asset disposal services they use.”
