Settlement Proposed In Ameritrade Data Breach Lawsuit

After admitting it had security holes that allowed a security breach of more than 6.2 million customers, attorneys for TD Ameritrade this week agreed to a settlement of a class action lawsuit.

(Editor's Note: This story has been updated, with the judge on Friday rejecting the settlement.)

The 74-page settlement outlined several efforts by Ameritrade, but it did not include any cash payments to the consumers who sued the company. Among the agreements were that Ameritrade will warn consumers about investment SPAM, pay for limited security testing, seed E-mail accounts seeking violators, pay $20,000 to the Honeynet Project and $35,000 to the National Cyber Forensics and Training Alliance as well as buy some of the impacted consumers a one-year license for an Ameritrade-selected anti-SPAM software package.

Although all but three of the consumer plaintiffs will not receive any cash payment, the settlement suggests a $1.87 million payment for attorneys' fees plus $9,000 for expense reimbursement. The three class representative plaintiffs—consumers who brought the original case and researched and worked the issues—will get paid, with Matthew Elvey receiving $10,000 and Brad Zigler and Joel Griffiths each getting $1,000.

Compared with some of the other major data breaches in the last few years—such as the classic TJX incident--the Ameritrade breach seemed to involve much more mild provable damage. Unlike the credit card information involved in TJX, for example, the only information that Ameritrade has confirmed intruders got were names, E-mail addresses, phone numbers and physical addresses. Unlike bogus payment card charges, the damages here were confined mostly to consumers receiving investment E-mail SPAM, although the potential for identity theft still exists.

Mark Rasch, an attorney who specializes in data fraud cases and who is the former head of the U.S. Justice Department's white-collar crime unit, said the weakness of provable damages in the Ameritrade case made the settlement appropriate.

"It's hard for the plaintiffs to demonstrate any actual damages other than annoyance or aggravation," Rasch said. "This kind of information (loss) doesn't mean you've won the lottery and doesn't mean you deserve a giant check from the company."

One of the lead attorneys for the consumer plaintiffs, Ethan Preston, said he thought it was "a great settlement," primarily because the initial lawsuit pushed Ameritrade into disclosing the breach.

The problem is that the disclosure didn't include any specifics of the breach, including the nature of Ameritrade's security at the time. If, for example, Ameritrade's disclosure was specific enough to allow IT leaders at other companies to prevent this kind of breach from hitting them, that could be a public benefit.

The second advantage to such a detailed disclosure is also the reason it didn't happen. There are two extreme possibilities and many in-between scenarios. The cautious extreme is that Ameritrade's defenses were beyond industry standards, that no major security holes existed and that the cyber-thieves were especially creative and resourceful. The reckless extreme is the opposite, that Ameritrade had many obvious security holes and that its protections were sloppy in the extreme. Therefore, a detailed disclosure could open Ameritrade to other lawsuits by consumers complaining about weak security.

U.S. District Court Chief Judge Vaughn R. Walker, hearing the attorneys present the settlement in his San Francisco courtroom Thursday (June 12), didn't make a ruling, but he did question how much money Ameritrade was paying for the anti-SPAM software licenses it would be giving out. Ameritrade lawyer Lee Rubin said Ameritrade was paying "significantly less" than retail value for the Security Pro software, according to this Wired story.