US banking giant Morgan Stanley has agreed to pay $60 million to settle a lawsuit brought by customers who have alleged that the bank exposed their personal data when it failed – twice – to properly retire its legacy information technology.
Earlier last week, a preliminary settlement of the proposed class action on behalf of about 15 million customers was filed in Manhattan federal court; it requires approval by U.S. District Judge Analisa Torres.
Customers would receive at least two years of fraud insurance coverage, and each can apply for reimbursement of up to $10,000 in out-of-pocket losses.
As part of its agreement deal, Morgan Stanley has denied any wrongdoing and said, it has made “substantial” upgrades to its data security practices.
In 2016, customers had accused Morgan Stanley of having failed to decommission two wealth management data centers before the unencrypted equipment, containing customer data, was resold to unauthorized third parties.
They also said, some older servers containing customer data went missing after Morgan Stanley transferred them in 2019 to an outside vendor.
According to court papers, Morgan Stanley had later recovered the servers.
Morgan Stanley did not immediately respond to requests for comment outside business hours.
In October 2020, Morgan Stanley had agreed to pay a $60 million civil fine to resolve a U.S. Office of the Comptroller of the Currency investigation revolving around the incidents, including that its information security practices were unsafe or unsound.
The case is In re Morgan Stanley Data Security Litigation, U.S. District Court, Southern District of New York, No. 20-05914.