A class-action lawsuit against Morgan Stanley stemming from fumbled ITAD jobs has been tentatively settled, although details of the agreement remain confidential.
The financial giant disclosed in July 2020 that some customers’ personal data was potentially compromised during asset disposition jobs in 2016 and 2019. The company was quickly hit with a handful of lawsuits that turned into a class-action case representing Morgan Stanley’s customers.
In a Nov. 4 court filing in the U.S. District Court for the Southern District of New York, U.S. District Judge Analisa Torres wrote that the court “has been advised that all claims asserted herein have been settled in principle.”
That means the legal case has been dismissed for the time being. If the settlement falls through, the case could be reopened. Attorneys for both Morgan Stanley and the plaintiffs have 45 days to reopen the case if the settlement does not come about, according to the filing.
Documents with more details of the settlement have not yet been released in court.
“We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation,” a Morgan Stanley spokesperson told E-Scrap News.
Linda Nussbaum, an attorney representing the plaintiffs, said the terms of the settlement will remain confidential until attorneys file for preliminary approval. She added that attorneys for the plaintiffs are “very pleased with the settlement and believe that it provides meaningful relief to the class.”
After the class-action kicked off in the summer of 2020, subsequent court documents revealed details about the 2016 asset disposition fiasco. It involved decommissioning more than 4,900 devices in a New York data center, and Morgan Stanley contracted with a moving company to carry out the job.
The vendor removed devices and sold them to another company, which resold them online. An IT consultant who purchased some of them online realized data remained on the devices, and he alerted Morgan Stanley of that fact.
In the 2019 data mismanagement incidents, Morgan Stanley retired about 500 servers from various local branch offices around the country. The company later determined it could not account for some of the devices and that some of them may not have been properly sanitized before being sold to a third party.
The plaintiffs later alleged Morgan Stanley ignored ITAD industry standards by using an unqualified vendor in the 2016 case, among other allegations. The financial company argued that even if devices were not properly sanitized, there is no evidence that customer data was stolen or used nefariously, so the legal case is unfounded.
Separate from the lawsuit, Morgan Stanley was also hit with a $60 million fine from the federal government, which found the company “engaged in unsafe or unsound practices that were part of a pattern of misconduct” related to asset disposition. In agreeing to the consent order, Morgan Stanley neither admitted nor denied those claims.
