Morgan Stanley Hit with Class Lawsuit Over Alleged Data Breaches
Former and current Morgan Stanley customers have filed a putative class-action lawsuit alleging negligence and invasion of privacy over the firm’s failure to properly scrub decommissioned hardware of personal information such as social security numbers, account numbers and other personal data.
Morgan Stanley earlier this month began notifying brokers and customers that some client information remained on hardware from two data centers that were closed in 2016.
“In addition to Morgan Stanley’s failure to prevent the Data Breach, Defendant failed to detect the Data Breach for years, and when they did discover the Data Breach, it took them over a year, possibly longer, to report it to the affected individuals and the states’ Attorneys General,” the lawsuit said.
A Morgan Stanley spokeswoman declined to comment on the suit. The firm had earlier said it had no evidence after working with outside experts that any personal information had been recovered or misused.
“We have continuously monitored the situation and have not detected any unauthorized activity related to the matter,“ it said in letters to clients seen by AdvisorHub that referenced only the 2016 data-center issue. “[I]n an abundance of caution, we wanted to make you aware of this matter and what we are doing to protect you.”
Affected individuals, some of whom were Smith Barney customers who closed their accounts before Morgan Stanley bought the firm a decade ago, can receive two years of free credit monitoring and fraud detection services if they sign up directly with Experian by October 31, according to the letters.
The lawsuit was filed by five residents of California, New York, Florida and Illinois on behalf of an unspecified number of people who received the letters, and does not specify the potential class size. It seeks certification of a national class and a separate “California subclass” (asserting two counts of unfair business practices under California law).
“This case does not involve a breach of a computer system by a third party, but rather an unauthorized disclosure of PII [personal identifiable information] to unknown third parties,” the lawsuit said.
It did not specify a damage amount, but said plaintiffs were injured by the “lost or diminished value” of their personal identification data, the continued uncertainty and risk of identity theft, out-of-pocket expenses they may incur to detect fraud and lost opportunity costs.
“The missing equipment and servers contain everything unauthorized third-parties need to illegally use Morgan Stanley’s current and former customers’ PII to steal their identities and to make fraudulent purchases, among other things,” according to the suit.
Richard Gamen, one of the named plaintiffs, has filed a complaint with the Federal Trade Commission and spent time “verifying the legitimacy of the Notice of Data Breach, communicating with Morgan Stanley representatives on the toll-free number supplied in the notice, exploring credit monitoring and identity theft insurance options, and self- monitoring their accounts,” the lawsuit says. “This time has been lost forever and cannot be recaptured.”
The plaintiffs’ lawyers at Morgan & Morgan, Clayeo C. Arnold and The Consumer Protection Firm who filed the complaint did not immediately respond to requests for comment on the potential size of the class or an estimate of the actual and punitive damages being sought. (The suit is captioned Sylvia Tillman, Amresh Jaiijee, Vivian Yates, Richard Gamen, Cheryl Gamen on behalf of themselves and all others similarly situated vs. Morgan Stanley Smith Barney, LLC.)
In 2016, Morgan Stanley reached a $1 million settlement with the Securities and Exchange Commission for failing to supervise a broker who downloaded client data onto his personal computer. The FTC determined that the data breach, which affected up to 350,000 accounts, was a result of a “glitch” and did not impose sanctions.