Are Judges Cracking Down On Data Breach Corporate Victims?

Written by Fred J. Aun
October 28th, 2009

A second federal judge has, this week, pushed back against a settlement involving a major data breach, potentially signaling more dire times for retailers whose data gets snatched courtesy of inadequate security.

Last month, it was a federal judge in Maine who started questioning whether Hannaford should get a walk just because zero-liability programs spared its consumers any out-of-pocket losses.

The new ruling comes from a federal judge in San Francisco, who rejected the class-action settlement proposal for TD Ameritrade on the grounds that it didn’t help the consumer victims sufficiently.

In both cases, the judges reversed positions they’d previously taken. Earlier this year, U.S. District Court Judge Vaughn Walker, overseeing the TD Ameritrade litigation, gave preliminary approval to the proposed settlement that offered anti-spam software to affected consumers and had TD Ameritrade vow to tighten its security practices.

In the security breach, TD Ameritrade account-holder private information was exposed to spammers. Walker granted preliminary approval of the settlement on May 1, but he changed his mind when the time came for giving the deal his final stamp of approval. Walker’s objections to the settlement’s terms were aligned with those expressed in November 2008 by the Texas Attorney General’s Office. In a curious twist, the judge rejected the amended settlement proposal even after the Texas AG said it was satisfactory with the amendments.

Walker expressed dissatisfaction with the proposed settlement, noting that to be approved, a settlement must be “fundamentally fair, adequate and reasonable” and that “the purported benefits to the class remain the problematic element of the settlement.” The judge said the proposed deal “seeks to confer no discernible benefit upon the class,” and he added that some of the things TD Ameritrade promised to do “seem to benefit the company more than the class.”

Walker also took issue with lawyers’ fees, which is a common concern in class-action litigation. Even though the named plaintiffs are consumers—and a lot of them—there’s rarely any consumer who is actually instructing the lawyer. That raises the possibility for attorneys to run up legal fees without delivering anything of benefit to the client, a situation encouraged by the defense attorney, who wants his client left alone.

The class members “were to receive no monetary recovery” while the lawyers were going to rake in almost $1.9 million, the judge said. The settlement does “not address adequately the potential harm to class members from identity theft.”

Walker asserted that the settlement would not force TD Ameritrade to adopt any new and permanent security measures to solve the breach vulnerabilities or to describe the details about those problems and how they were repaired. Echoing the Texas AG’s initial grumblings, he said “any reputable company” should perform the vulnerability tests TD Ameritrade was going to conduct anyway. The judge added that, “while it is obvious that, as a large company that deals in sensitive personal information, penetration and data breach tests should be routine practices of TD Ameritrade’s department that handles information security, it is not clear that such tests benefit the class. Even if, in the words of the company, the tests will give class members ‘another objective basis to have confidence that TD Ameritrade’s information security system is sound,’ confidence in this instance does not provide any real value to the class. In short, these two—very temporary—fixes do not convince the court that the company has corrected or will address the security of client data in any serious way, let alone provide discernable benefits for the class.”

Walker also said the proposed one-year subscription or extension of anti-spam software “confers little to no benefit” to the victims, noting that Texas initially pointed out “this software is of little value because similar software is available to most Internet users for free.” He said the Texas AG’s involvement in the proposed amended settlement “does not convince the court that the proposed settlement is fair, reasonable and adequate,” adding that the AG’s efforts “largely resulted in changes to the nature and scope of the notice, rather than altering the purported benefits to the class.”


2 Comments | Read Are Judges Cracking Down On Data Breach Corporate Victims?

  1. lala lolo Says:

    What all these articles about this case aren’t mentioning is that Ameritrade was irresponsible about how they dealt with the breach after it happened. They largely denied it occurred, and then when they finally were *forced* to acknowledge it, they were not forthcoming with details – to the detriment of the victims. One can blame them to a large extent for the initial breach. But it is their fault entirely for their behavior afterwards.

  2. Matthew Elvey Says:

    lala lolo: You’re right.

    Fred, good article, except that you don’t mention that the big issue is how much identity fraud resulted from the compromised SS#s. You say “there’s rarely any consumer who is actually instructing the lawyer”. In this case there was such a consumer. But the lawyers (of KamberEdelson) simply refused to follow the instructions. My instructions. I hired ’em. I told ’em the settlement wasn’t acceptable. They slapped my signature on it and filed it anyway. In doing so, they committed perjury, AFAICT. Details on my blog (click my name).


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.