[BreachExchange] Morgan Stanley Hit with Class Lawsuit Over Alleged Data Breaches
Destry Winant
destry at riskbasedsecurity.com
Fri Jul 31 10:21:20 EDT 2020
https://advisorhub.com/morgan-stanley-hit-with-class-action-over-alleged-data-breaches/
Former and current Morgan Stanley customers have filed a putative
class-action lawsuit alleging negligence and invasion of privacy over
the firm’s failure to properly scrub decommissioned hardware of
personal information such as social security numbers, account numbers
and other personal data.
Morgan Stanley earlier this month began notifying brokers and
customers that some client information remained on hardware from two
data centers that were closed in 2016.
Filed Wednesday in federal district court in New York City’s second
circuit, the lawsuit also says the wirehouse learned in 2019, and
informed some state attorneys general this month, that computer
servers replaced in some branches cannot be located and may have
contained disks with unencrypted personal data.
“In addition to Morgan Stanley’s failure to prevent the Data Breach,
Defendant failed to detect the Data Breach for years, and when they
did discover the Data Breach, it took them over a year, possibly
longer, to report it to the affected individuals and the states’
Attorneys General,” the lawsuit said.
A Morgan Stanley spokeswoman declined to comment on the suit. The firm
had earlier said it had no evidence after working with outside experts
that any personal information had been recovered or misused.
“We have continuously monitored the situation and have not detected
any unauthorized activity related to the matter,“ it said in letters
to clients seen by AdvisorHub that referenced only the 2016
data-center issue. “[I]n an abundance of caution, we wanted to make
you aware of this matter and what we are doing to protect you.”
Affected individuals, some of whom were Smith Barney customers who
closed their accounts before Morgan Stanley bought the firm a decade
ago, can receive two years of free credit monitoring and fraud
detection services if they sign up directly with Experian by October
31, according to the letters.
The lawsuit was filed by five residents of California, New York,
Florida and Illinois on behalf of an unspecified number of people who
received the letters, and does not specify the potential class size.
It seeks certification of a national class and a separate “California
subclass” (asserting two counts of unfair business practices under
California law).
“This case does not involve a breach of a computer system by a third
party, but rather an unauthorized disclosure of PII [personal
identifiable information] to unknown third parties,” the lawsuit said.
It did not specify a damage amount, but said plaintiffs were injured
by the “lost or diminished value” of their personal identification
data, the continued uncertainty and risk of identity theft,
out-of-pocket expenses they may incur to detect fraud and lost
opportunity costs.
“The missing equipment and servers contain everything unauthorized
third-parties need to illegally use Morgan Stanley’s current and
former customers’ PII to steal their identities and to make fraudulent
purchases, among other things,” according to the suit.
Richard Gamen, one of the named plaintiffs, has filed a complaint with
the Federal Trade Commission and spent time “verifying the legitimacy
of the Notice of Data Breach, communicating with Morgan Stanley
representatives on the toll-free number supplied in the notice,
exploring credit monitoring and identity theft insurance options, and
self- monitoring their accounts,” the lawsuit says. “This time has
been lost forever and cannot be recaptured.”
The plaintiffs’ lawyers at Morgan & Morgan, Clayeo C. Arnold and The
Consumer Protection Firm who filed the complaint did not immediately
respond to requests for comment on the potential size of the class or
an estimate of the actual and punitive damages being sought. (The suit
is captioned Sylvia Tillman, Amresh Jaiijee, Vivian Yates, Richard
Gamen, Cheryl Gamen on behalf of themselves and all others similarly
situated vs. Morgan Stanley Smith Barney, LLC.)
In 2016, Morgan Stanley reached a $1 million settlement with the
Securities and Exchange Commission for failing to supervise a broker
who downloaded client data onto his personal computer. The FTC
determined that the data breach, which affected up to 350,000
accounts, was a result of a “glitch” and did not impose sanctions.
More information about the BreachExchange
mailing list