Morgan Stanley (MS.N) agreed to pay $60 million to settle a lawsuit by customers who said the Wall Street bank exposed their personal data when it twice failed to properly retire some of its older information technology.
A preliminary settlement of the proposed class action on behalf of about 15 million customers was filed on Friday night in Manhattan federal court, and requires approval by U.S. District Judge Analisa Torres.
Customers would receive at least two years of fraud insurance coverage, and each can apply for reimbursement of up to $10,000 in out-of-pocket losses.
Morgan Stanley denied wrongdoing in agreeing to settle, and has made “substantial” upgrades to its data security practices, according to settlement papers.
Customers accused Morgan Stanley of having in 2016 failed to decommission two wealth management data centers before the unencrypted equipment, which still contained customer data, was resold to unauthorized third parties.
They also said some older servers containing customer data went missing after Morgan Stanley transferred them in 2019 to an outside vendor. Morgan Stanley later recovered the servers, court papers show.
Morgan Stanley did not immediately respond to requests for comment outside business hours.
In October 2020, Morgan Stanley agreed to pay a $60 million civil fine to resolve U.S. Office of the Comptroller of the Currency accusations concerning the incidents, including that its information security practices were unsafe or unsound.
The case is In re Morgan Stanley Data Security Litigation, U.S. District Court, Southern District of New York, No. 20-05914.
Reporting by Jonathan Stempel in New York; Editing by Daniel Wallis