Oct. 26, 2009

Judge Rejects Settlement With TD Ameritrade Over Security Breach, Says Deal is Not Fair to Customers

Ameritrade Has Never Said What It Has Done To Address Security Concerns

WASHINGTON, D.C. - A federal judge has rejected a class action lawsuit settlement between TD Ameritrade and as many as six million of its clients, saying the deal offers little benefit to customers whose confidential information was hacked in one of the largest security breaches in U.S. history.

Public Citizen filed an opposition to the settlement last year in the U.S. District Court for the Northern District of California on behalf of its client, Matthew Elvey, an Ameritrade customer and lead plaintiff in the class action suit against the Internet stock-trading company. Public Citizen argued that the proposed settlement did little to address the breach that allowed hackers access to customers’ Social Security numbers, birth dates, e-mail addresses and other personal information.

The company’s offer to provide its clients with a one-year subscription to anti-spam software would do nothing to protect customers from identity theft and would be useless to those who already have anti-spam software or could obtain similar protection for free. Regardless of what compensation Ameritrade offers, the company promised little to prevent a future breach or to reassure customers who had been complaining for almost two years that their private account information was being stolen from the company, said Greg Beck, the Public Citizen attorney who is representing Elvey, along with California attorney Mark A. Chavez of Chavez & Gertler.

“The court recognized that the settlement benefits Ameritrade more than its customers,” Beck said. “Ameritrade should not get off the hook for its massive security breach until it comes clean with its clients and shows it has fixed the problem.”

Elvey, a San Francisco Bay area computer consultant, learned of the security breach when he started receiving spam at an e-mail address he used exclusively with his Ameritrade account. When he informed Ameritrade of the problem in November 2006, the company responded via e-mail that it was “conducting a thorough investigation into this matter.” Ameritrade did not admit the existence of the breach until September 2007, after Elvey moved for an injunction forcing the company to disclose how his e-mail address had been compromised. At about the time that the breach came to light, Elvey’s Social Security number was used in a fraudulent transaction.

Elvey asked the judge to reject the settlement agreed to by Ameritrade and his former counsel unless Ameritrade makes information about the breach available to the public, including when it happened and what information was taken. He also wants the company to do a better job informing its customers about the breach and the risk of identity theft.

The rejection of the proposed settlement allows the sides to either reach a new agreement or proceed to trial.

###