NEW: You can review and comment on the key documents, which I’ve posted in editable wiki form at http://caringaboutsecurity.wikispaces.com! Cool, huh?(I’ve not posted the less important documents to the wiki. Just exhibits A, F, and G for now.) Please take a look and provide feedback. Smile

On December 9, 2010, I filed and argued in court against the motion for preliminary approval:

Elvey_Response_to_Kreinder-TDA_offer.pdf describing our concerns.  I’d highlight them thusly:  We pushed for an effective audit.   This settlement proposal notice is misleading and poorly publicized, and so cannot be fair.  It has an audit component that to the untrained or hasty eye is meaningful compensation, but to the security expert or careful reader is security theatre that  “does not require Ameritrade to adopt any new permanent security measures to remedy the problems giving rise to the lawsuit, or even to reveal what those security problems were and how it has fixed them.”

I also filed and argued for a motion to unseal the secret deposition:

Motion_to_Unseal.pdf.   I had to rush to get these out; the hearing was originally scheduled for December 23rd.

If I’d had more time, I’d have presented this argument for the motion to unseal: Essentially, there’s a major inconsistency with respect to the risk of ID theft.  Based on the information provided to me by the whistleblower, I believe that a claim that  TD Ameritrade has found no evidence linking the data breach to identity theft attempts is untrue.  And yet, the settlement states “TD Ameritrade has no evidence linking the data breach to instances of identity theft”.   So I conclude that either the settlement is inconsistent with the deposition, or the deposition contains untrue or highly misleading statements that have induced the attorneys working on behalf of the class to agree to a settlement that misleads the class as to the nature of the risk of identity theft.  They don’t have the whistleblower’s information, or the deposition. I also would have argued that proposed class reps and counsel should receive a copy of all reports from security firms ID Analytics and Mandiant. The whistleblower has made it very clear that TD Ameritrade does not have evidence that the hackers never took social security numbers.

In court, Judge Walker asked me if I was aware that I could opt out.  Of course I am, but I wish I’d added that I spoke in court because I filed my motion and fight this case on behalf of the class, and take my duty to represent that class seriously; whether the court has recognized the class yet, or me as its rep, that is still my legal obligation.

Originally Published on: Nov 18, 2010:

These filings are in response to the latest proposed settlement up for preliminary approval,

Unfortunately, the settlement papers were not properly filed, so I do not have proper (searchable) PDFs, but I am pushing to have this rectified (don’t hold your breath though).

226.Motion for Preliminary Approval.pdf

227-1.Agreement.100p.Sigs.ExhA.1.B.C.D.E.A.1.B.C.F.G.pdf

228.Proposed_Order.28p+Exh.A.1.B.C.pdf

(Yes, 4 exhibits appear to have been filed 3 times!)

229.CERTIFICATE_OF_SERVICE.pdf is unimportant; it’s apropos Bob Kriss, apparently a luddite attorney representing TD Ameritrade who has email (“Robert J.Kriss” ) but is too clueless to get with the program and register properly for the Court’s ECF system, as is REQUIRED by General Order 45, which provides at Section IV (A) that “Each attorney of record is obligated to become an ECF User and be assigned a user ID and password for access to the system upon designation of the action as being subject to ECF.”* and yet, amazingly, has represented some of the world’s largest technology companies!

*as quoted in Case 3:06-cv-02169-MHP Document 20.

Addendum

“News” coverage this time around is on a par with last time.

The AP’s Josh Funk mis-reported on the morning of November 16, 2010 that all class members could get at least $50! The story has since been quietly corrected.  (Most class members would get $0.) The story still sometimes appears with the doubly-erroneous subtitle “New TD Ameritrade data theft settlement offers people $50-$2,500 for ID theft in 2007 breach”.

It seems Ameritrade’s PR has been working overtime, and there’s no bar low enough that they won’t step under it.

Sarah Pierce, a “reporter” for topclassactions.com mis-reported on November 25th: “Social Security Numbers, user names and passwords were not compromised, according to TD Ameritrade’s investigation into the matter.” This is simply false (where does this misinformation come from?  Pre-written ‘news’ articles from Ameritrade’s PR, like the ? Social Security Numbers were compromised.  I’ve detailed the evidence proving the utter falsehood of this claim that Ms Pierce has echoed, as has has the PRC.  I’ve discussed this news problem here and in court filings, explaining why datalossdb and the PRC changed their tune, to correctly report that Social Security Numbers were compromised, according to TD Ameritrade’s own reports.  Ms Pierce also mis-reports: “A final approval hearing on the new Ameritrade Data Breach Class Action Lawsuit Settlement will be held December 23.”  This is not true either; no hearing date has been set for a final approval hearing; the settlement hasn’t even been preliminarily approved; the judge is considering whether to do so.

NEW: AlertBoot’s Sang Lee mis-reported that clients only had their “immaterial” personal information, namely e-mail addresses, stolen!  Sang Lee reinforces the point I made to Judge Walker last week (as exemplified by docket entries 110, 112, 116, 117, 161, and 178): readers are routinely misled by the proposed notice into thinking that just addresses were stolen, not only by being another glowing example, but also by highlighting the difference in severity between an SSN compromise and an email address compromise; Judge Walker’s comment in court was ‘same difference’, or something to that effect.

It’s interesting to compare this proposed settlement to the settlement disclosed at www.dadsettlement.com.  The latter seems to provide class members with a much better deal: There’s no per-class-member cap on claimed damages, and every class member is offered years of credit monitoring protection.

NEW: Eric Goldman’s very popular Technology & Marketing Law Blog has also mis-reported the minimum class member compensation as $50 instead of $0. It has issued a couple corrections and clarifications to its interesting, unique article on this settlement proposal. It’s even more interesting with the corrections, and will get even more interesting than that when (or if) class counsel responds to his inquiry. Class counsel has become unresponsive again; I’ve twice sent the same follow-up email regarding my complaint that the Claim Forms (online and for paper-filing) were not made available until well after the notices had been sent out, (and the latter is STILL not available, which are a superbly evil way to BOTH decrease payouts to the class, AND increase payouts to class counsel).  I have received no response!

NEW: The Privacy Rights Clearinghouse has also mis-reported the minimum class member compensation as $50 instead of $0; correction is in process.

 

 

NEW: I think the main improvement is that now at least some class members get a major benefit.  Unfortunately, it’s only a tiny fraction who will get any money. The main hurdles are:
  1. Learn of the settlement (most members will not learn of it, as the only MOST likely way they’ll learn of it is an email to an email address that’s years old and will probably go into spam folders), and then understand it (the 3 notices and claim form are long and complicated).
  2. Be eligible for compensation.  If you’ve not been an Identity Theft victim, you get $0.
  3. Take the time and have the skill to understand the need for, and do the research to request, create or find the particular evidence paperwork required to apply successfully for the most compensation.
Under the previous settlement, to which I objected, at least all class members were well-notified of, eligible for and could fairly easily apply for the main benefit – the Trend Micro security suite.
Here’s how the settlement works:
If you’ve been an Identity Theft victim, and the only identity theft you experienced involved an Existing Credit or Debit Card Account, you may recover $50 if you correctly provide the required information described on a complicated form, and obtain and provide copies of the documentation it requires.
If you’ve been an Identity Theft victim, and the identity theft you experienced involved a New Account or an Existing Account other than an Existing Credit or Debit Card Account, you may recover up to $250 if you correctly provide the required information described on a complicated form, and obtain and provide copies of the documentation it requires, and may recover up to an additional $750 in out-of-pocket expenses, defined to include telephone charges, copying, postage charges or other charges incurred in closing or correcting an account that was opened or affected as a result of this kind of identity theft. (Identity theft monitoring and insurance and legal fees and lost wages are NOT on the list, which is copied from the Agreement.) Also, if as a result, you paid money that you didn’t really owe to creditors and you tried and failed to get them to waive the charges due to the ID theft, and you tried and failed to get them to refund the charges, you can apply to get up to $1500 of it back.
TD Ameritrade will retain Neohapsis, at TD Ameritrade’s expense to assess whether TD Ameritrade has met certain information technology security standards set forth in the Settlement Agreement (Exhibit G).
But, the standards do not require that TD Ameritrade ensure that default passwords on their servers not be left unchanged, that they perform penetration testing, or that they retain or monitor canaries placed in their user account database. I pushed to have the audit require these very reasonable steps, but it doesn’t.  If TD Ameritrade fails to meet one or more of the standards, the agreement does not require that the Evaluator perform a second assessment after TD Ameritrade is given time to correct the non-compliance.
All the benefits of the old settlement are gone:
No free year of Trend Micro Internet Security Pro.
No site penetration testing. There is no assurance that existing custom applications will be tested. There is no assurance that even new custom applications will be tested! The settlement does nothing to forbid or prevent TD Ameritrade from reverting all the policy changes it makes or merely promises to make in order to be able to pass the audit as soon as it has been passed!!! There are at least a couple other gaping holes in the security compliance audit settlement component. I’d be ecstatic if the settlement provided for auditing if there weren’t gaping holes.
No account seeding with canaries.
No charitable donations to any of the charities previously identified and none are guaranteed to the new ones.
No $2.8 million to the plaintiffs’ attorneys. They get $500,000 (less any funds over $6,000,000 distributed to the class.) How it’s to be shared is not determined or disclosed.
No $10,000 for class representatives, like me. I discovered the information security breach by which the Social Security Numbers of 6.3 million Ameritrade customers were compromised and proved that known criminals had gained access to the database they were in, and used info stolen from the database to committ fraud.  I also showed that Ameritrade covered up the breach by finding and reporting on the information I obtained from a whistleblower.
I get $0.
The standards do NOT require that TD Ameritrade change the passwords for or disable all default system accounts, or that ‘good’ passwords be used, though the latter is somewhat implied by the training. Given that there are public reports that TD Ameritrade has had problems in the past with having default passwords on important systems, this is a frightening fact.
The Server Safeguards only apply to “servers on which an external client connection terminates (“Connected Servers”)”, not to machines such as the database system that was compromised during the breach! Surely such systems should not be running software with well-known security flaws.
The auditor can’t predict the future; without predicting the future, it is impossible for an auditor to reliably determine whether, e.g., “4. TD Ameritrade will have policies controlling the storage, access and transport of customer information.” An auditor can evaluate whether TD Ameritrade has a policy. More importantly, an auditor can evaluate whether TD Ameritrade enforces a policy. How can an auditor meaningfully evaluate whether TD Ameritrade promises to have a policy?
An organization that is so inept that, 5 years after a catastrophic security breach, it invites public scrutiny of such poorly designed auditing procedures, is truly frightening. I wish I could say more about the frightening things I learned and concerns I raised while MJ Spero was managing the case.
I’d hate to be TD Ameritrade when its security is breached again because it failed to do these things I think an audit should ensure that it does.
What we had in the earlier settlement was ‘lipstick on a pig’. What we have now is a beautiful, shiny, black, armored Humvee containing the rotting corpse of a pig in a nice suit and lipstick.
Under the current settlement, about 0.01% of the class will receive compensation that I’d call within the bounds of fair, reasonable and adequate.  The bulk of the class will receive less than nothing.   The bulk of the class will have their rights taken away and in return receive news of an audit that actually provides layperson-convincing but malicious-expert-attracting security theatre instead of real security.
The legal basis for the case rests largely on the claim that Ameritrade’s privacy policy was deceptive, because they KNEW their security had an ongoing breach for 2 years and falsely advertised in their privacy policy during that 2 year period that they had good security.  The case’s claim cannot be remedied by a settlement that itself is deceptive, becasue it deceives the class with respect to when the breach started, what the main resulting damage and risks are, and provides the false impression that it will ensure that the company has passed an audit verifying that TD Ameritrade now has good security.  The audit is so full of holes it doesn’t provide any true reassurance about TD Ameritrade security.  It’s as  reassuring as the Michigan gun test (http://www.nytimes.com/1991/06/11/us/true-or-false-michigan-gun-test-is-easy-a-true.html. Note: I’m saying that they are both designed to be ineffective; I’m not taking any position on gun control).
I’ve learned that our legal system is sometimes no match for a powerful corporation with skilled PR and legal teams.  There’s no doubt TD Ameritrade covered up the news of the breach and has largely been successful in keeping the bulk of its customer base uninformed of its transgressions.
About these ads