Indiana has joined five other states in reaching a $6.5 million settlement agreement with a global financial services company that acknowledged it failed to protect its customers’ personal information on multiple occasions.
In a news release, Attorney General Todd Rokita announced that Indiana will receive $690,000 as part of the multistate settlement with Morgan Stanley Smith Barney LLC — better known as Morgan Stanley — to resolve allegations of negligent internal data security practices.
“We have taken this action because companies must be held accountable for protecting Hoosiers’ data privacy in accordance with our laws,” Rokita said in the release. “Our team will continue standing up for hardworking families and defending their interests and rights as consumers.”
An assurance of voluntary compliance was filed Nov. 16 in Marion Superior Court 2 between the state and Morgan Stanley.
According to the document, in July 2020, Morgan Stanley notified the attorneys general of Indiana, Connecticut, Florida, New Jersey, New York and Vermont about two data security incidents.
The first incident involved computer devices that were decommissioned and resold in connection with the closing of two data centers in 2016.
“While Morgan Stanley had contracted with a vendor to remove its data from the devices, it subsequently learned that the vendor subcontracted certain relevant services to an unauthorized entity, and that certain devices still contained some unencrypted Personal Information (the ‘Data Center Event’),” the document states.
The second incident, according to the document, involved a software flaw that could have resulted in unencrypted data fragments remaining on the affected devices that Morgan Stanley was unable to locate following a decommissioning event. The data fragments may have remained on the affected devices as a result of a manufacturer flaw in encryption software.
According to Rokita’s office, as far back as 2015, Morgan Stanley failed to properly dispose of devices containing its customers’ personal information by hiring a moving company with no experience in data destruction services.
Morgan Stanley also failed to properly monitor the outside firm’s work, which involved decommissioning thousands of hard drives and servers containing sensitive information of millions of its customers, according to the Office of the Attorney General.
The computer equipment, some of which contained customer data, was sold via internet auctions. Morgan Stanley learned of problems when a downstream purchaser discovered the data and called the company.
In the second incident, a records reconciliation exercise undertaken by the company during a decommissioning process revealed that 42 servers, all potentially containing unencrypted customer information, were missing.
The company has agreed to adopt a series of provisions that better protects the personal information of its consumers going forward, including:
- Maintaining a comprehensive information security program that includes regular updates that are necessary to reasonably protect the privacy, security and confidentiality of personal information.
- Maintaining an incident response plan that documents incidents and actions taken in relation to the incidents.
- Maintaining a written policy that governs the collection, use, retention and disposal of consumers’ personal information.
- Encrypting all personal information, whether stored or transmitted, between documents, databases or elsewhere.
- Employing a manual process and automated tools to keep track of locations of all hardware that contains personal information.
- Maintaining a vendor risk assessment team to assess and monitor that their vendors comply with Morgan Stanley’s data security requirements.
The $690,000 paid to Indiana will be used for any purpose allowable by law, according to the agreement.