Last year, I wrote about why a proposed class-action lawsuit settlement between TD Ameritrade and its customers stunk. The deal did very little for the millions of customers whose confidential information was hacked and provided virtually no information about the size of the security breach or what Ameritrade was doing to make sure it didn’t happen again. Public Citizen opposed the settlement on behalf of its client, the lead plaintiff in the class action suit.
Late last week, a federal judge in northern California agreed with us, rejecting the proposed settlement, saying the deal offers little benefit to customers whose confidential information was hacked in one of the largest security breaches in U.S. history.
The company’s offer to provide its clients with a one-year subscription to anti-spam software would do nothing to protect customers from identity theft and would be useless to those who already have anti-spam software or could obtain similar protection for free. Public Citizen attorney Greg Beck said:
The court recognized that the settlement benefits Ameritrade more than its customers.Ameritrade should not get off the hook for its massive security breach until it comes clean with its clients and shows it has fixed the problem.
Public Citizen’s client, Matthew Elvey, a San Francisco Bay area computer consultant, learned of the security breach when he started receiving spam at an e-mail address he used exclusively with his Ameritrade account. When he informed Ameritrade of the problem in November 2006, the company responded via e-mail that it was “conducting a thorough investigation into this matter.” Ameritrade did not admit the existence of the breach until September 2007, after Elvey moved for an injunction forcing the company to disclose how his e-mail address had been compromised. At about the time that the breach came to light, Elvey’s Social Security number was used in a fraudulent transaction.
Elvey asked the judge to reject the settlement agreed to by Ameritrade and his former counsel unless Ameritrade makes information about the breach available to the public, including when it happened and what information was taken. He also wants the company to do a better job informing its customers about the breach and the risk of identity theft.
The rejection of the proposed settlement allows the sides to either reach a new agreement or proceed to trial.