Morgan Stanley has asked a New York federal court to throw out a class action lawsuit alleging the firm failed to properly wipe sensitive client information from decommissioned computer equipment that has since gone missing.
The former clients cannot plausibly identify instances of personal data being accessed or misused, or any other injury, that give the case standing, according to a statement filed Monday by Morgan Stanley. The bank asked for the case, which started in August, 2020, with a pair of lawsuits and has since grown to nearly a dozen named plaintiffs, to be dismissed in its entirety and with prejudice.
“Despite all of plaintiffs’ incendiary allegations, this case fundamentally arises out of events that did not involve the exposure of any personal or financial information in connection with a specific data breach, any malicious actors, a deliberate cyberattack, phishing or malware,” Morgan Stanley says in the filing.
However, the plaintiffs claim impacted clients have reported to Morgan Stanley various forms of identity theft attributed to the incident in question, according to an amended complaint filed in July after a period of discovery. Clients’ personal information was used to open financial accounts, apply for employment benefits and student loans, and file fraudulent tax returns, the plaintiffs allege.
Nussbaum Law Group, one of the firms representing the plaintiffs, declined to comment beyond the July complaint. Morgan & Morgan, another firm representing the plaintiffs, did not respond to a request for comment.
According to the original complaint, Morgan Stanley hired a vendor to remove customer data from computer equipment pertaining to two data centers the bank closed in 2016. Morgan Stanley later learned that some of the devices still contained unencrypted data after it left the firm’s possession.
In letters signed by chief information security officer Gerard Brady and sent to various state attorneys general, Morgan Stanley said branch office servers the firm disconnected in 2019 had a software flaw that left “previously deleted data” on the hard drives, unencrypted. “During a recent inventory, we were unable to locate a small number of those devices,” the notification states.
Because of incidents, Morgan Stanley was hit with a $60 million fine from the Office of the Comptroller of the Currency.
The updated complaint alleges the bank terminated a contract with IBM to decommission the equipment, instead hiring a local moving company without experience in technology disposal to save money. The plaintiffs also allege Morgan Stanley failed to supervise the project and “feigned shock” when it learned the equipment still contained sensitive information.
“To this day, as a result of Morgan Stanley’s systemic failures and lack of inventory records, thousands of pieces of IT equipment containing unencrypted Morgan Stanley client [personally identifiable information] remain completely unaccounted for,” the plaintiffs say in their complaint. “Many of these devices have been offered for sale on the internet and remain in the hands of third-party purchases who now have unfettered access to the PII of millions of Morgan Stanley’s former and current clients.”
But specific instances of identity theft or fraud cannot not be traced back to either data breach incident, the bank says in its motion to dismiss. Alleged instances happened before the 2019 event, and connecting them to 2016 is “purely speculative,” the bank says.
A spokesperson for Morgan Stanley says the firm has continuously monitored the situation and has not detected any unauthorized access to, or misuse of, PII.
“The amended complaint is replete with sensational allegations and conspiracy theories that in no way suggest any actionable client harm,” the spokesperson wrote in an email. “We continue to vigorously defend against these claims.”
Morgan Stanley has struggled with other data security issues. In July, the bank disclosed that a data breach at one of its contractors exposed customer names, dates of birth, Social Security numbers and company names of customers whose stock accounts had gone dormant.