This is a response to DataLossDB blog post Legal Sub-Project – Elvey v. TD Ameritrade by jkouns on June 14, 2009
You ask some tough questions, and I have answers! This is Elvey. I filed the case. I was not aware of this post ’till now and want to belatedly direct any potential readers to some information that should further inform, as well as correct some inaccuracies.
I greatly appreciate your coverage of the case and particularly your highlighting and clear explanation of some of the key details that others have glossed over, like detailing the lack of substantial improvements in the new settlement, the far-fetched reasons for sealing the deposition (even from my own eyes!), and especially your picking apart the ridiculousness of the whole ‘presumption that since no evidence of “organized misuse” exists, Social Security numbers had not been compromised.’ concept.
I want to emphasize that my initial case filing alleged a “classic pump-and-dump scheme”, with a definition, references and strong evidence that the scheme benefited TD Ameritrade, not mere garden variety spamming.
What brought the compromise of Social Security numbers to light was the injunction I filed that forced TD Ameritrade to disclose it, not the suit Zigler filed. (By the way, Zigler was someone I found. Zigler was a victim of the breach and my attorneys and I reached out to him and he joined my case very early on. (The initial case caption is “[Me] and GADGETWIZ, INC., an Arizona corporation [owned by Brad Zigler], on their own behalf and on behalf of all others similarly situated,Plaintiffs v. TD AMERITRADE…”)) Over a year later, the firm of Scott Kamber, the crooked attorney who flew to San Francisco to arrive at my home unannounced to back the threats he had made on the phone and via email after I balked at the shitty settlement terms he negotiated, filed the Brad Zigler v. TD Ameritrade case. Some of the threats are described and quoted in a court filing and this blog post; links to the former, document Dkt 175. I stand by the accuracy of the quotes in that filing. Do they not convince you that Kamber’s claim that “Never was Mr. Elvey threatened or even pressured in any manner.” is a lie? I think the Trial Lawyers closed ranks to protect one of their own, instead of rooting out the documented threat or the corruption that motivated it. Despite strong pressure and direct legal advice to keep quiet about the threats, I refuse to back down.
You claim /ask: “Why did Elvey approve the settlement in the first place?” But as I noted on my blog in the post linked to above, “KamberEdelson filed document Dkt 53-2 with the court (the first proposed settlement), to my case’s docket, which shows my signature on a signature page I signed (i.e. it is my signature) but it’s been placed into a document I did not sign.”
What I haven’t thought to made public ’till now is some further evidence to back that up:
On Thursday, May 22, 2008, I emailed the court of Judge Vaughn Walker directly:
“I’m just following up on an urgent message I left with VRW’s
docket clerk and discussion with his court deputy.
Please do not accept any settlement agreement my attorneys file
that purports to contain my signature or assent to a settlement
without verifying that signature or assent with me directly. You
should expect any documents that purport to have my signature to
be digitally signed (e.g. like this email – with a with an S/MIME
or PGP/GPG key).
I’d be happy to explain further in court; I’d explain here but I
have been told that I shouldn’t; it might be inappropriate ex
-Matthew Elvey, Plaintiff.”
Once presented with the surprising, horrible settlement draft and threatened, I had begun figuring out what to do, begun searching for alternate counsel to represent the class and anticipated the filing that was made days later. I’d been assured TD Ameritrade had agreed that the settlement would include passage of real (internal) security audits, no release of liability for ID theft, and a substantial breach-fighting non-profit (like the OSF) donation component, but it didn’t!
I hope that answers your question: “Why did Elvey approve the settlement in the first place?” Clear?
You ask, “Is TD Ameritrade not already required by industry standards like PCI, or better yet, its own internal security policies to do so?” I answered that in this old blog post.
I’m generally very skeptical and a Yale-educated scientist – not one to believe conspiracy theories. I see conclusive evidence of corruption by key parties this case. That, plus strong but not conclusive evidence has me convinced that there’s also corruption behind other odd decisions in the case that you mention, like support for and approval of the slightly improved settlement version that as you say, “substantively didn’t really alter much”.