Morgan Stanley to pay $6.9 million for data breaches and glitches

Morgan Stanley Smith Barney has consented to $6.9 million in fines imposed by state and industry regulators for data breaches and infractions.

The Manhattan financial services giant agreed to pay a $6.5 million fine to New York Attorney General Letitia James and five other attorneys general for two data breaches and $400,000 to the Financial Industry Regulatory Authority for regulatory violations.

In 2016, Morgan Stanley hired a moving company to decommission thousands of computer hard drives and servers that contained sensitive information on millions of customers.

The movers, who had no experience in data destruction services, picked up the devices at data centers in Poughkeepsie and Columbus, Ohio, and sold the devices at auction. A buyer discovered the personal information and notified Morgan Stanley.

In the second incident, while decommissioning equipment, Morgan Stanley discovered that 42 servers that potentially contained unencrypted customer information were missing.

Morgan Stanley will pay New York $1,658,048 for compromising the personal information of 1.1 million New Yorkers, according to the voluntary declaration, and divide the remaining $4.8 million among the attorneys general for Connecticut, Florida, Indiana, New Jersey and Vermont.

The company also agreed to strengthen its data handling procedures.

In the FINRA case, Morgan Stanley failed to deliver 166,104 prospectuses for 65 Exchange-Traded Funds held in more than 44,000 accounts, from August 2020 to October 2022.

The failure stemmed from a coding error in the company’s control systems that indicated that paper prospectuses need not be delivered for the ETFs.

Morgan Stanley faced a similar situation in 2016 when FINRA censured the company and imposed a $1.5 million fine for failing to deliver about 2.1 million prospectuses from November 2013 to August 2014.

In the current case, FINRA credited Morgan Stanley for extraordinary cooperation. The brokerage discovered the coding error last year during a quality assurance review of the vendor that delivered prospectuses.

It fixed the problem, established new procedures, reported the issue to FINRA,  and assisted the regulatory agency in its investigation.

Morgan Stanley operates about 1,000 branch offices with more than 27,200 registered representatives. Brokerage services are headquartered in Purchase and the principal place of business for the financial services giant is in Manhattan.

Morgan Stanley Managing Director S. Anthony Taggart signed off on the FINRA agreement on Nov. 10 and the attorneys general deal on Nov. 13. The attorneys general and FINRA endorsed the agreements on Nov. 16.