The cost to Morgan Stanley for saving $100K using an uncertified IT Asset Disposition vendor to retire over 4,900 IT assets, some with unencrypted data and PII, is now up to $120 million.

♦ In a preliminary settlement of the proposed class-action lawsuit on behalf of about 15 million customers, MS agreed to pay $60 million to settle the suit by customers who said the Wall Street bank exposed their personal data when it twice failed to properly retire some of its older information technology.

♦ Customers would receive at least two years of fraud insurance coverage, and each can apply for reimbursement of up to $10,000 in out-of-pocket losses.

♦ MS denied wrongdoing in agreeing to settle and claims to have made “substantial” upgrades to its data security practices.

♦ In October 2020, MS agreed to pay a $60 million civil fine to resolve U.S. Office of the Comptroller of the Currency accusations concerning the incidents, including that its information security practices were unsafe or unsound.

This is the 3rd and likely final post in my series on this fiasco, and my previous 2 posts go into quite a bit of detail about how MS chose an unqualified area moving company to cut their cost, and the assets were in turn sold to brokers, resellers, and other vendors without the data on the drives being sanitized first.

Morgan Stanley Names Vendor in Data Security Case:

Global Financial Services Firm Uses a Moving Company to Retire Over 4,900 Devices with Unencrypted PII Data:

For those wondering if the purchasers were somehow complicit in reselling the assets without checking for data or overwriting data on the drives, and that somehow means their R2, e-Stewards, or NAID AAA certifications are meaningless, only the company MS contracted for the ITAD work is responsible for that work and the only company liable for not doing so. Data overwriting is a costly process in time, manpower, and energy, and companies engaged in buying and reselling drives are under no obligation to incur that expense as a charity, no matter what certification(s) they have.

It’s critical for the original owners of IT assets to select the best qualified ITAD vendor to hand custody of the assets to and contract for proper data sanitization. Even for companies that $120M is a slap-on-the-wrist cost of getting caught, it would have been less time-consuming and costly had they just selected one of the 6 US-based ITAD vendors with NAID AAA data security-specialized certifications for all types of digital media, like NextUse.

Original article here