Ameritrade is proposing a settlement to a class action lawsuit filed in response to their data breach last year. Approximately 6.3 million customers were affected by the incident. Although there have been no reports of identity theft yet—and, honestly speaking, we won’t know for some time, I imagine. Attempts at identity theft tend to mature about a year after the breach itself, supposedly—there have been attempts to scam customers via phishing. I remarked last year that maybe Ameritrade should have looked into encrypting their most sensitive files using file encryption. Ameritrade, for their part, claim that there is “‘no evidence Social Security or account information was compromised,’” according to this Wired article.
There are complaints regarding the settlement, though. The core proposal is that Ameritrade spend $12 million or so to sign up the affected customers for one year of spam?blocking software, a figure which includes the lawyers’ fees. Ultimately, penalties to Ameritrade would work to be about $2 per customer.
I understand why people are complaining. To begin with, $2 seems, on a personal level, too little. If I were one of the affected, I would imagine that my time spent worrying has a much higher value. On the other hand, you can’t sue a company because they temporarily turned you into a worrywart; you have to be able to prove harm. With most people not being affected directly by the incident, there are no damages to point at, just a general feeling of unrest.
Also, those turning to Ameritrade’s annual statements would notice that the company’s cash flow last year was $578 million, with net income of $645 million. A one-time hit of $10 million looks like a pittance in comparison. From those looking to gain $2, it looks like Ameritrade is the winner in this case.
On the other hand, Ameritrade is being dealt a rough hand as well. It doesn’t matter if you’re making $500 million year or $500 billion a year, $10 million is no laughing matter. Especially if shareholders are willing to sue for breach of fiduciary duty. Supposedly, this is the reason why companies do their utmost to win lawsuits: admitting defeat under equivocal circumstances could set in motion legal action directed to top management.
This is a classic case of lose?lose. The company loses credibility and money that can be diverted to other uses, and the disaffected clients—well, they technically gain $2, which is not much of a gain. The overall result is that nothing is fixed and everyone is dissatisfied.
If you or your company handles sensitive data, don’t set yourself up for the above scenario by doing nothing or being lax with data security practices. Data security, unfortunately, is a game (as in game theory, not basketball): if you can’t have the best, at least play the odds so that you can increase your data protection levels as high as possible. For example, if your company has a substantial number of laptop computers in use, one of the best methods to protect the data is, to date, the use of encryption software like AlertBoot.