MONTPELIER, Vt. — Attorney General Charity Clark and Department of Financial Regulation Commissioner Kevin Gaffney announced today that Vermont, along with five other states, has reached a multistate settlement totaling $6.5 million with Morgan Stanley over two incidents that compromised the personal information of millions of Morgan Stanley customers. Both incidents occurred due to Morgan Stanley’s failure to erase unencrypted data in certain computer devices that were decommissioned, exposing millions of consumers’ personal information left in those devices. Vermont will receive over $595,000 from the settlement, with approximately $89,000 going to the Vermont Financial Services Education and Victim Restitution Special Fund to help compensate victims of securities violations.
“Businesses that collect Vermonters’ data must protect it,” said Attorney General Clark. “Today’s settlement serves as a reminder to Vermont businesses about the importance of data minimization. By limiting or eliminating retention of consumer information, businesses can reduce the risk associated with data security incidents. I will continue to hold data brokers and others accountable when they fall short of what is required by law. Consumers deserve peace of mind in knowing that their data is secure.”
Commissioner Gaffney agreed, adding: “The $89,000 the Department will receive for the Vermont Financial Services Education and Victim Restitution Special Fund will aid Vermonters affected by securities law violations in recovering a portion of their lost dollars.”
As far back as 2015, Morgan Stanley failed to properly dispose of devices containing its customers’ personal information by hiring a moving company with no experience in data destruction services to decommission thousands of hard drives and servers containing sensitive information of millions of its customers. The company failed to properly monitor the moving company’s work. The computer equipment, some of which contained customer data, was sold via internet auctions. Morgan Stanley was unaware of the problem until a downstream purchaser discovered the data and called the company.
In a second incident, a records reconciliation exercise undertaken by the company during a decommissioning process revealed that 42 servers, all potentially containing unencrypted customer information, were missing. During this process, the company learned that the local devices being decommissioned may have contained unencrypted data due to a manufacturer flaw in the encryption software.
The investigation found that Morgan Stanley had failed to maintain adequate vendor controls and hardware inventories, and that, had these controls been in place, both data security events could have been prevented.
As a result of today’s settlement, Morgan Stanley has agreed to pay $6.5 million to the states and, going forward, adopt a series of provisions to better protect the personal information of its consumers.
The Attorney General’s Office and the Department of Financial Regulation cooperated on this investigation with a multistate group including the Attorneys General of Connecticut, Florida, Indiana, New Jersey, and New York.
Vermonters with concerns about identity theft are encouraged to contact the Attorney General’s Consumer Assistance Program by calling 800-649-2424 or visiting the AGO Consumer Assistance Program webpage.