New settlement offered in TD Ameritrade data theft

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.boston.com/news/local/connecticut/articles/2010/11/16/new_settlement_offered_in_td_ameritrade_data_theft/

OMAHA, Neb.—Millions of current and former TD Ameritrade customers
whose contact information may have been stolen more than three years
ago will be eligible to receive as much as $2,500 under a new proposed
settlement agreement.

But it's not clear how many of the 6.2 million TD Ameritrade customers
affected will be able to collect anything under the proposed
settlement outlined in court documents filed Monday, because the
payments will only be offered to identity-theft victims. And most of
the payments, which would range between $50 and $2,500 per person,
will likely be less than the maximum.

A federal judge who rejected an earlier settlement agreement also must
approve the deal.

The new proposed settlement, which is the second attempt at resolving
the lawsuit, will cost Ameritrade between $2.5 million and $6.5
million. If claims worth more than $6.5 million are submitted, the
payments to individuals and the plaintiffs' lawyers will be reduced.

The Omaha-based company disclosed the breach in September 2007. Anyone
who held an Ameritrade account or provided an e-mail address to the
company before then could have been affected by the data theft.

Ameritrade spokeswoman Kristin Petrick said the company believes the
settlement is fair and hopes the judge will approve the deal.

The plaintiffs said in the lawsuit that they received unwanted stock
e-mail ads. The ads appeared to be designed to manipulate the value of
thinly traded stocks.

Last year, U.S. District Judge Vaughn Walker in San Francisco rejected
an earlier class-action settlement because it didn't do enough to
benefit the Ameritrade customers affected. A hearing on the new
settlement is scheduled for Dec. 23.

The initial settlement that was rejected offered customers only
anti-spam software and a promise of tighter security at TD Ameritrade.
Under that deal, the plaintiffs' lawyers were set to receive nearly
$1.9 million in legal fees.

The new settlement will provide cash payments between $50 and $2,500
to affected Ameritrade customers who suffered identity theft and
submit a claim. The amount people will receive would be determined by
the extent of the identity theft they experienced.

Plaintiffs' attorney Gretchen Nelson said it's difficult to prove an
identity theft was caused by a particular data breach, so the
settlement is designed to allow for that.

Ameritrade's Petrick said customers won't have to prove their identity
theft problems were related to the data theft. As long as people can
show they were Ameritrade customers and suffered identity theft from
an unknown cause, they will be able to submit a claim for payment.

Customers who only received unwanted stock e-mail would not be
eligible for any compensation under the new settlement.

Under the new settlement, attorneys' fees are capped at $500,000.

If the claims submitted and attorneys' fees in the settlement add up
to less than $2.5 million, Ameritrade will donate any remaining money
up to $2.5 million to nonprofit groups concerned about privacy rights,
such as the Electronic Privacy Information Center.

The total cost of the new settlement is limited to $6.5 million, and
Petrick said it will not have a material impact on Ameritrade's
earnings. The deal also calls for Ameritrade to hire an independent
expert to evaluate its information technology security measures.

TD Ameritrade revealed the data theft in September 2007, but company
officials have not discussed many details of the breach.

The company did store sensitive information, including Social Security
numbers and account numbers, in the database that was hacked. But
officials have said that information does not appear to have been
taken.

TD Ameritrade officials have said they were confident the company had
identified how the information was stolen and had changed its computer
code enough to prevent the theft from recurring.

The company has said other Ameritrade databases, where information
such as passwords, user IDs and personal identification numbers are
kept, were not violated.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/