Indiana AG: Indiana receives $690,000 as part of multistate settlement

INDIANAPOLIS — Officials with the office of Indiana Attorney General Todd Rokita announced Tuesday that more than $600,000 has been given to Indiana as part of a multistate settlement.

According to a news release from Rokita’s office, Indiana was given $690,000 as part of a multistate settlement with a global financial services corporation to resolve allegations of negligent internal data security practices.

Officials said Morgan Stanley Smith Barney LLC, or Morgan Stanley, reportedly compromised the personal information of its customers. The company reportedly failed to properly dispose devices containing personal information of its customers.

An investigation found that the company “failed to maintain adequate vendor controls and hardware inventories” which would have prevented the incidents from happening if they were implemented. The release said that the company agreed to pay $6.5 million in total to six states, including Connecticut, Florida, New Jersey, New York and Vermont.

“We have taken this action because companies must be held accountable for protecting Hoosiers’ data privacy in accordance with our laws,” Rokita said in the release. “Our team will continue standing up for hardworking families and defending their interests and rights as consumers.”

The release said the company has also said they would adopt a series of provisions that will help protect the personal information of its consumers, including:

• Maintaining a comprehensive information security program, including regular updates necessary to protect the privacy, security and confidentiality of their personal information.
• Maintaining an incident response plan that documents incidents and actions taken in relation to the incidents.
• Maintaining a written policy that governs the collection, use, retention and disposal of consumers’ personal information.
• Encrypting all personal information, whether stored or transmitted, between documents, databases or elsewhere.
• Employing a manual process and automated tools to keep track of locations of all hardware that contains personal information.
• Maintaining a vendor risk assessment team to assess and monitor that their vendors comply with the company’s data security requirements.