Are Judges Cracking Down On Data Breach Corporate Victims?
Written by Fred J. AunA second federal judge has, this week, pushed back against a settlement involving a major data breach, potentially signaling more dire times for retailers whose data gets snatched courtesy of inadequate security.
Last month, it was a federal judge in Maine who started questioning whether Hannaford should get a walk just because zero-liability programs spared its consumers any out-of-pocket losses.
The new ruling comes from a federal judge in San Francisco, who rejected the class-action settlement proposal for TD Ameritrade on the grounds that it didn’t help the consumer victims sufficiently.
In both cases, the judges reversed positions they’d previously taken. Earlier this year, U.S. District Court Judge Vaughn Walker, overseeing the TD Ameritrade litigation, gave preliminary approval to the proposed settlement that offered anti-spam software to affected consumers and had TD Ameritrade vow to tighten its security practices.
In the security breach, TD Ameritrade account-holder private information was exposed to spammers. Walker granted preliminary approval of the settlement on May 1, but he changed his mind when the time came for giving the deal his final stamp of approval. Walker’s objections to the settlement’s terms were aligned with those expressed in November 2008 by the Texas Attorney General’s Office. In a curious twist, the judge rejected the amended settlement proposal even after the Texas AG said it was satisfactory with the amendments.
Walker expressed dissatisfaction with the proposed settlement, noting that to be approved, a settlement must be “fundamentally fair, adequate and reasonable” and that “the purported benefits to the class remain the problematic element of the settlement.” The judge said the proposed deal “seeks to confer no discernible benefit upon the class,” and he added that some of the things TD Ameritrade promised to do “seem to benefit the company more than the class.”
Walker also took issue with lawyers’ fees, which is a common concern in class-action litigation. Even though the named plaintiffs are consumers—and a lot of them—there’s rarely any consumer who is actually instructing the lawyer. That raises the possibility for attorneys to run up legal fees without delivering anything of benefit to the client, a situation encouraged by the defense attorney, who wants his client left alone.
The class members “were to receive no monetary recovery” while the lawyers were going to rake in almost $1.9 million, the judge said. The settlement does “not address adequately the potential harm to class members from identity theft.”
Walker asserted that the settlement would not force TD Ameritrade to adopt any new and permanent security measures to solve the breach vulnerabilities or to describe the details about those problems and how they were repaired. Echoing the Texas AG’s initial grumblings, he said “any reputable company” should perform the vulnerability tests TD Ameritrade was going to conduct anyway. The judge added that, “while it is obvious that, as a large company that deals in sensitive personal information, penetration and data breach tests should be routine practices of TD Ameritrade’s department that handles information security, it is not clear that such tests benefit the class. Even if, in the words of the company, the tests will give class members ‘another objective basis to have confidence that TD Ameritrade’s information security system is sound,’ confidence in this instance does not provide any real value to the class. In short, these two—very temporary—fixes do not convince the court that the company has corrected or will address the security of client data in any serious way, let alone provide discernable benefits for the class.”
Walker also said the proposed one-year subscription or extension of anti-spam software “confers little to no benefit” to the victims, noting that Texas initially pointed out “this software is of little value because similar software is available to most Internet users for free.” He said the Texas AG’s involvement in the proposed amended settlement “does not convince the court that the proposed settlement is fair, reasonable and adequate,” adding that the AG’s efforts “largely resulted in changes to the nature and scope of the notice, rather than altering the purported benefits to the class.”
-Marc
October 28th, 2009 at 11:01 pm
What all these articles about this case aren’t mentioning is that Ameritrade was irresponsible about how they dealt with the breach after it happened. They largely denied it occurred, and then when they finally were *forced* to acknowledge it, they were not forthcoming with details – to the detriment of the victims. One can blame them to a large extent for the initial breach. But it is their fault entirely for their behavior afterwards.
November 12th, 2009 at 1:29 pm
lala lolo: You’re right.
Fred, good article, except that you don’t mention that the big issue is how much identity fraud resulted from the compromised SS#s. You say “there’s rarely any consumer who is actually instructing the lawyer”. In this case there was such a consumer. But the lawyers (of KamberEdelson) simply refused to follow the instructions. My instructions. I hired ’em. I told ’em the settlement wasn’t acceptable. They slapped my signature on it and filed it anyway. In doing so, they committed perjury, AFAICT. Details on my blog (click my name).