Morgan Stanley Hit with Class Lawsuit Over Alleged Data Breaches
Former and current Morgan Stanley customers have filed a putative class-action lawsuit alleging negligence and invasion of privacy over the firm’s failure to properly scrub decommissioned hardware of personal information such as social security numbers, account numbers and other personal data.
Morgan Stanley earlier this month began notifying brokers and customers that some client information remained on hardware from two data centers that were closed in 2016.
“In addition to Morgan Stanley’s failure to prevent the Data Breach, Defendant failed to detect the Data Breach for years, and when they did discover the Data Breach, it took them over a year, possibly longer, to report it to the affected individuals and the states’ Attorneys General,” the lawsuit said.
A Morgan Stanley spokeswoman declined to comment on the suit. The firm had earlier said it had no evidence after working with outside experts that any personal information had been recovered or misused.
“We have continuously monitored the situation and have not detected any unauthorized activity related to the matter,“ it said in letters to clients seen by AdvisorHub that referenced only the 2016 data-center issue. “[I]n an abundance of caution, we wanted to make you aware of this matter and what we are doing to protect you.”
Affected individuals, some of whom were Smith Barney customers who closed their accounts before Morgan Stanley bought the firm a decade ago, can receive two years of free credit monitoring and fraud detection services if they sign up directly with Experian by October 31, according to the letters.
The lawsuit was filed by five residents of California, New York, Florida and Illinois on behalf of an unspecified number of people who received the letters, and does not specify the potential class size. It seeks certification of a national class and a separate “California subclass” (asserting two counts of unfair business practices under California law).
“This case does not involve a breach of a computer system by a third party, but rather an unauthorized disclosure of PII [personal identifiable information] to unknown third parties,” the lawsuit said.
It did not specify a damage amount, but said plaintiffs were injured by the “lost or diminished value” of their personal identification data, the continued uncertainty and risk of identity theft, out-of-pocket expenses they may incur to detect fraud and lost opportunity costs.
“The missing equipment and servers contain everything unauthorized third-parties need to illegally use Morgan Stanley’s current and former customers’ PII to steal their identities and to make fraudulent purchases, among other things,” according to the suit.
Richard Gamen, one of the named plaintiffs, has filed a complaint with the Federal Trade Commission and spent time “verifying the legitimacy of the Notice of Data Breach, communicating with Morgan Stanley representatives on the toll-free number supplied in the notice, exploring credit monitoring and identity theft insurance options, and self- monitoring their accounts,” the lawsuit says. “This time has been lost forever and cannot be recaptured.”
The plaintiffs’ lawyers at Morgan & Morgan, Clayeo C. Arnold and The Consumer Protection Firm who filed the complaint did not immediately respond to requests for comment on the potential size of the class or an estimate of the actual and punitive damages being sought. (The suit is captioned Sylvia Tillman, Amresh Jaiijee, Vivian Yates, Richard Gamen, Cheryl Gamen on behalf of themselves and all others similarly situated vs. Morgan Stanley Smith Barney, LLC.)
In 2016, Morgan Stanley reached a $1 million settlement with the Securities and Exchange Commission for failing to supervise a broker who downloaded client data onto his personal computer. The FTC determined that the data breach, which affected up to 350,000 accounts, was a result of a “glitch” and did not impose sanctions.
Spoke with a few clients of MS over the past week. Those breach letters seem to have caused quite a stir!
Such a double standard….
Advisors who turn in a breakfast receipt with their spouse for $30 are fired and their lives are ruined, but Morgan Stanley, Wells Fargo and the others can commit massive frauds motivated by greed with just a small fine and a slap on the wrist. Best to leave, join an RIA and end the 60% handling fee.
I don’t know about Morgan Stanley, but Wells cleared out at the CEO and terminated dozens of people over their issue, so I don’t think that qualifies as “a slap on the wrist.” Just sayin.
This all stems back to Capital Markets and the proprietary website they built in wealth mgmt without authorization from the firm IT group. Very simple for FA’s to poach accounts on that website if they could figure it out. How do others get in this class action????? Vince Lumia was part of the Fixed Income group that managed that website. He can give you all the answers, but he’ll get a raise!
They can’t even do payroll right. All the third party vendors!
BTW-you have to call Experian and do it yourself!!!!!
This should be automatic – where are the regulators.
FA’s are hard working and honest but management from JimmieG on down are a bunch of yes men. Don’t forget JG was there at the beginning of ML collapse with Stan O’Neil. Don’t forget the data breach with that FA Galin a couple of years back where he had client records from all over the Firm. No manger took a hit on failure to supervise, MS just looks the other way. Worst management on Wall street.
Can we add our names to this law suit?