Data that was mismanaged during Morgan Stanley’s ITAD processes has not been accessed for malicious intent, and therefore the class-action lawsuit against the financial giant should be dismissed, attorneys for the bank said in a new court filing.
The argument is the latest in the data loss saga stemming from computer decommissioning jobs Morgan Stanley hired out in 2016 and 2019. After the company alerted customers in 2020 that their data was mismanaged and potentially compromised, numerous lawsuits followed and were quickly consolidated into a class-action legal case against the financial giant. The company was hit with a federal fine in late 2020.
Morgan Stanley responded to the complaint in August, naming the vendor – a New York moving company – that it used for a data center decommissioning job in 2016. The bank asked the court to dismiss the case. Lawyers for the consumer plaintiffs fired back, alleging that Morgan Stanley ignored industry standards and swapped out an experienced ITAD vendor for a moving company in an effort to save $100,000.
On Sept. 29, Morgan Stanley again made its case in a court filing. The financial firm essentially made a case that, even though the data-bearing devices were not properly sanitized, clients’ personal information hasn’t fallen into nefarious hands.
Attorneys for Morgan Stanley argued that, for all of the plaintiffs’ “breathless hyperbole,” their allegations don’t show the data was misused. And because of that, Morgan Stanley says the case doesn’t have merit.
“In a lost-data case such as this one, the absence of allegations of a malicious actor or other link between the lost data to actual misuse means that there is no basis to presume that the lost data is actually being misused,” the lawyers wrote. “Thus, even assuming that plaintiffs’ incendiary allegations are true, they simply have no relevance to the threshold issue of standing.”
The amount of time that’s elapsed since the 2016 and 2019 decommissioning events underscores the lack of evidence that data was maliciously used, the attorneys noted.
Bank says it didn’t ditch best practices
Morgan Stanley added that because the plaintiffs can’t prove data was stolen for malicious use, they instead “focus on the purported ‘egregiousness’ of Morgan Stanley’s alleged misconduct in connection with the data center device commissioning and hardware refresh program underlying the 2016 and 2019 events.”
Attorneys for the financial giant argued against the concept that the company ignored best practices in these events. They said the “allegations that Morgan Stanley’s data policies or practices deviated from an acceptable industry baseline or standard are too perfunctory to plead a breach of any duty.”
The case has become a flashpoint for the ITAD industry, serving as a high-profile example of data loss directly related to asset disposition. Most data breaches are caused by hacking, employee snooping, or accidental disclosure, data from Canadian authorities suggests. Research on U.S. data breaches suggests the same thing, although the National Association of Information Destruction (NAID) has found that personal data abounds on drives that were supposedly wiped before they were resold online.
The International Association of IT Asset Managers (IAITAM) held a discussion of the Morgan Stanley case last week. Electronics processor and ITAD firm Global Electronic Recycling on Sept. 30 wrote about the lessons the industry can take away from the events. Data destruction equipment supplier Security Engineered Machinery (SEM) highlighted the case as an example of why companies might want to take data destruction services in-house rather than working with a vendor.