Morgan Stanley to pay US$60m to resolve data security lawsuit

New York

MORGAN Stanley agreed to pay US$60 million to settle a lawsuit by customers who said the Wall Street bank exposed their personal data when it twice failed to properly retire some of its older information technology.

A preliminary settlement of the proposed class action on behalf of about 15 million customers was filed on Friday (Dec 31) night in Manhattan federal court, and requires approval by US District Judge Analisa Torres.

Customers would receive at least two years of fraud insurance coverage, and each can apply for reimbursement of up to US$10,000 in out-of-pocket losses.

Morgan Stanley denied wrongdoing in agreeing to settle, and has made "substantial" upgrades to its data security practices, according to settlement papers.

Customers accused Morgan Stanley of having failed to decommission two wealth management data centres in 2016 before the unencrypted equipment, which still contained customer data, was resold to unauthorised third parties.

They also said that some older servers containing customer data went missing after Morgan Stanley transferred them in 2019 to an outside vendor. Morgan Stanley later recovered the servers, court papers show.

Morgan Stanley did not immediately respond to requests for comment outside business hours.

In October 2020, Morgan Stanley agreed to pay a US$60 million civil fine to resolve US Office of the Comptroller of the Currency accusations concerning the incidents, including that its information security practices were unsafe or unsound. REUTERS