Three years ago, TD Ameritrade suffered a data breach and 6.2 million clients had their e-mail addresses stolen. Today, TD Ameritrade offered a settlement for that breach, after getting their original one rejected about a year ago by the presiding judge.
I’ve often noted that data encryption software like AlertBoot endpoint encryption is very important for sensitive data, but this case makes it important to secure “immaterial” personal information as well.
Up to $2,500 for ID Theft Victims
About a year ago, TD Ameritrade tried to settle this lawsuit. The judge rejected it on the grounds that the only people making out like thieves were the lawyers (and possibly TD Ameritrade; take a look at my previous post).
This new attempt to put the data breach behind is much more focused on indemnifying clients. And yet something doesn’t quite sit right in my opinion.
Under the new terms, TD Ameritrade clients will receive anywhere between $50 and $2,500, although most payments are expected to be much, much lower than the maximum.
The total cost is estimated to be between $2.5 million and $6.5 million. With 6.2 million clients affected, it’s easy to tell that the settlement won’t extend to all. In fact, only clients who had their e-mail address stolen AND suffered ID theft since can submit a claim.
Whether the ID theft originated from the breach at TD Ameritrade does not matter if clients can prove that they were a victim of ID theft.
This settlement, like the previous one, must gain the green-light from the presiding judge, Vaughn Walker in San Francisco. I’m no legal expert, but seeing how he rejected the first settlement on grounds that it didn’t do much for victims, there is a good chance he may accept this one.
A New Direction?
One of the biggest difficulties people face when suing a company for a data breach is proving that they were materially and directly affected by the breach. In fact, case after case in the US has been dismissed where people were suing because “they could be at risk” due to their personal information, such as SSNs, being lost or stolen in a data breach.
Being at risk is not grounds for winning lawsuits. In fact, it’s not even grounds for judges accepting a court case, if my understanding of “summarily dismissed” means what I think it means.
And, yet, here we have a decision where a company is willing to settle despite the fact that the plaintiffs, for the most part (and I’m making an educated guess here) are unable to connect the real crime of ID theft to what transpired at TD Ameritrade.
Could this be a watershed moment? Not one for the books, of course, since this is a settlement. Settlements cannot be used as court precedents, as far as I understand. But, companies do take cues from everything that has transpired before.
Maybe this will be the case that signals companies, “hey, e-mails addresses need to be protected with encryption software, too.” Which, personally, sounds kinda weird.
Related Articles and Sites: