Morgan Stanley Sued Over Alleged Client Info Breaches

By Miriam Rozen July 31, 2020

Current and former Morgan Stanley clients have filed a lawsuit against the wirehouse alleging it failed to safeguard their personal information. The plaintiffs also allege that Morgan Stanley failed to promptly notify them of potential compromises of their Social Security and passport numbers and other personal information.

The suit, filed on July 29 in a Manhattan federal court, seeks class action status but does not quantify the number of potential class members or the amount of damages.

The plaintiffs — residents of California, New York, Florida and Illinois — include one existing and three former Morgan Stanley clients, as well as another whose current client status is not identified.

On or about July 9, Morgan Stanley began notifying various state attorneys general about multiple data breaches that occurred as early as 2016, according to the suit. Around the same time, Morgan Stanley also sent a notice of data breach to impacted current and former customers, the suit adds.

The wirehouse learned that starting in 2016, the decommissioning and replacement of computer equipment may have left unencrypted client data in the wrong hands, the suit alleges. In 2016, Morgan Stanley closed two data centers, decommissioned computer equipment and hired a vendor to wipe client information from those machines, the suit states. But Morgan Stanley then learned “certain devices believed to have been wiped of all information still contained some unencrypted data” and some of that equipment is missing, the suit adds.

In a letter to Iowa attorney general Tom Miller, Morgan Stanley chief information security officer Gerard Brady included information about another “breach” that began in 2019, the lawsuit alleges. It was then that the wirehouse disconnected and replaced multiple branch-located computer servers, which still contained unencrypted customers’ data because of a “software flaw,” the lawsuit alleges.

When asked how many wirehouse clients have been notified about the potentially compromised data, a Morgan Stanley spokesperson didn’t provide a number.

Although the spokesperson did not comment about the pending lawsuit, she stressed that Morgan Stanley has not identified personal information abuses related to incidents.

“We have continuously monitored the situation and have not detected any unauthorized activity related to the matter, nor access to or misuse of personal client data,” the spokesperson says in an emailed statement.

In a memo sent to the firm’s financial advisors and brokers earlier this month, Morgan Stanley Wealth Management’s head of field management, Vince Lumia, wrote about the 2016 decommissioned equipment.

“We are not aware of any access to or misuse of client personal information,” he wrote. “We conducted a thorough investigation with assistance from outside technical experts to understand the facts and any potential risk to our clients’ data. With their help, we concluded that it would be very difficult for anyone to access or misuse the data, given what we believe subsequently happened to those devices and the fact that many of the devices had design features that made it unlikely that data was accessed or misused.”

According to the pending class action suit, in letters to the plaintiffs, Morgan Stanley offered two years of free credit monitoring services through Experian.

The plaintiffs include California resident Sylvia Tillman and Illinois residents Richard Gamen and Cheryl Gamen, all former clients; New York resident Amresh Jaijee, an existing client; and Florida resident Vivian Yates, whose client status is not identified. The plaintiffs’ lawyers did not return a request for comment for this story.

The lawsuit asserts negligence and invasion of privacy claims, among others, and seeks punitive damages and attorney fees and expenses, as well as an injunction. The plaintiffs also want the court to compel the wirehouse “to use appropriate cyber security methods and policies with respect” to collection, storage, protection, and disposal of personal information, and “to disclose with specificity” the type of information compromised.

In 2016, the SEC fined Morgan Stanley $1 million for failing to have federally mandated policies and procedures guarding customer information, as reported.

Do you have a news tip you’d like to share with FA-IQ? Email us at editorial@financialadvisoriq.com.