A preliminary settlement of the proposed class action on behalf of approximately 15 million customers was filed in Manhattan federal court on Friday night, and it is subject to approval by U.S. District Judge Analisa Torres.
Customers would receive at least two years of fraud insurance coverage, and they could apply for up to $10,000 in out-of-pocket losses.
According to settlement papers, Morgan Stanley denied wrongdoing in agreeing to settle and has made "substantial" improvements to its data security practices.
Customers accused Morgan Stanley of failing to decommission two wealth management data centers in 2016 before reselling unencrypted equipment containing customer data to unauthorized third parties.
They also claimed that some older servers containing customer data vanished after Morgan Stanley transferred them to an outside vendor in 2019. According to court documents, Morgan Stanley later recovered the servers.
Morgan Stanley said in an email on Monday that it had notified all affected customers and was pleased to settle the lawsuit.
Morgan Stanley agreed to pay a $60 million civil fine in October 2020 to settle allegations made by the US Office of the Comptroller of the Currency about the incidents, including that its information security practices were unsafe or unsound.