From Indiana Attorney General <[email protected]>
Subject Attorney General Todd Rokita and team obtain $690,000 for Indiana in settlement with Morgan Stanley over data security incidents
Date November 21, 2023 11:02 AM
  Links have been removed from this email. Learn more in the FAQ.
  Links have been removed from this email. Learn more in the FAQ.
State of Indiana Attorney General - News Release

*Attorney General Todd Rokita and team obtain $690,000 for Indiana in settlement with Morgan Stanley over data security incidents**?*

"Total settlements under Rokita administration near $1 billion "

Attorney General Todd Rokita today announced that his team has obtained $690,000 for Indiana as part of a multistate settlement with a global financial services corporation to resolve allegations of negligent internal data security practices.

?We have taken this action because companies must be held accountable for protecting Hoosiers? data privacy in accordance with our laws,? Attorney General Rokita said. ?Our team will continue standing up for hardworking families and defending their interests and rights as consumers.?

Morgan Stanley Smith Barney LLC ? better known simply as Morgan Stanley ? allegedly compromised the personal information of its customers with a poorly executed plan of decommissioning its computer devices and a failure to erase unencrypted data in certain of those computer devices.

As far back as 2015, Morgan Stanley failed to properly dispose of devices containing its customers? personal information by hiring a moving company with no experience in data destruction services. Morgan Stanley failed to properly monitor the outside firm?s work ? which involved decommissioning thousands of hard drives and servers containing sensitive information of millions of its customers. The computer equipment, some of which contained customer data, was sold via internet auctions. Morgan Stanley learned of problems when a downstream purchaser discovered the data and called the company.

In a second incident, a records reconciliation exercise undertaken by the company during a decommissioning process revealed that 42 servers, all potentially containing unencrypted customer information, were missing. During this process, the company learned that the local devices being decommissioned may have contained unencrypted data due to a manufacturer flaw in the encryption software.

An investigation found that Morgan Stanley failed to maintain adequate vendor controls and hardware inventories ? and that had these controls been in place, both data security events could have been prevented.

Indiana is one of six states ? which include Connecticut, Florida, New Jersey, New York and Vermont ? entering into agreements with Morgan Stanley. The company has agreed to pay $6.5 million in total and to adopt a series of provisions that better protects the personal information of its consumers going forward, including:?


* Maintaining a comprehensive information security program that includes regular updates that are necessary to reasonably protect the privacy, security, and confidentiality of personal information;
* Maintaining an incident response plan that documents incidents and actions taken in relation to the incidents;
* Maintaining a written policy that governs the collection, use, retention, and disposal of consumers? personal information;
* Encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere;
* Employing a manual process and automated tools to keep track of locations of all hardware that contains personal information;
* Maintaining a vendor risk assessment team to assess and monitor that their vendors comply with Morgan Stanley?s data security requirements.

As part of their work protecting consumers from illicit business practices, cybersecurity threats, data privacy violations and ID theft, Attorney General Rokita's team has now obtained nearly $1 billion in settlements for Hoosiers.

Settlement documents are attached.

A headshot of?Attorney General Rokita is available to download [ [link removed] ].

###

?

?


* Office of the Indiana AG AVC - Morgan Stanley.pdf [ [link removed] ]
* INDIANA - Morgan Stanley Joint Petition.pdf [ [link removed] ]

SUBSCRIBER SERVICES:
Manage Preferences [ [link removed] ]??|??Delete Profile [ [link removed] ]??|??Help [ [link removed] ]

________________________________________________________________________

This email was sent to [email protected] using GovDelivery Communications Cloud on behalf of: Indiana Attorney General ? Indiana Government Center South,?302 W. Washington St., 5th Floor ??Indianapolis, IN 46204 ??317-232-6201 GovDelivery logo [ [link removed] ]
body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; margin-right:0px;}
Screenshot of the email generated on import

Message Analysis