The proposed settlement has been thrown out!
What did I think of the decision?
What do I want to see happen?
The media is asleep on the job?
What did I think of the decision?
We won a round! I am heartened and thrilled that Chief Judge Vaughn Walker’s order rejecting the settlement cited my argument that the settlement TD Ameritrade and KamberEdelson proposed had mischaracterized the nature of the risks associated with the breach! Social Security numbers were compromised; I led the two main organizations that the GAO relies on as experts in tracking data on all disclosed information privacy and security breaches in the US to modify their public listings to acknowledge the SSN compromise! (They are OSF (Open Security Foundation) – the maintainers of Attrition.org’s Data Loss Database (or DLDB, with the relevant entry at datalossdb.org/incidents/787) and PRC (Privacy Rights Clearinghouse); search here for ‘elvey’ .)
As the plaintiff, and duty-bound class representative, I am in favor of a settlement if:
- TD Ameritrade confirms that it has been checking, and will continue to check on an ongoing basis, and publicly report, how many of the social security number canaries, in particular, that it has put in its databases have and have not been used to apply for credit. (The proposed settlement mentions canaries, but doesn’t require such tracking.)
- TD Ameritrade makes appropriate information about the breach available to the public, including when it happened and what information was taken, what it doesn’t know, and does a better job informing its customers about the breach and the risk of identity theft, passes internal security audits, works cooperatively with law enforcement, and provides a meaningful benefit to the class.
What do I want to see happen?
I hope that the court appoints Kreindler and Kreindler as new counsel and I will ask the court to include me as a class representative at the CMC December 10th. I have an exhaustive knowledge of the case and relevant expertise, I uncovered the breach, I proved that known criminals had gained access to the database with SSNs, I have information from a whistleblower contact, and my own, which would be extremely valuable for interrogatory and discovery, and I think my counsel at Public Citizen will prove helpful to the new lead counsel. Not appointing me sends a dangerous message to all class reps who don’t agree with the deal their counsel has negotiated. Keeping the past reps as class reps also sends a bad message, as they approved the rejected settlement, as well as the two previous versions, which were even less fair. Judge Walker is famous for being an expressive advocate of active, involved class reps. I believe he doesn’t change his mind.
Longer term, I hope that a message is sent that there are material consequences if your company doesn’t take security seriously. Every company must be made to expect material consequences if it tells current and potential customers that its web site is secure when members of its own Information Security department KNOW that there’s an ongoing security breach. My behavior to date demonstrates my reasonableness, fairness and integrity with respect to honoring my duty to the class, even when doing so was contrary to my views or financial interest. If I just wanted money, I would never have taken the job of class rep, as it pays very poorly. I would have to be paid fifty or a hundred times that much to match what I usually charge, given the time I’ve dedicated to this case. While Judge Walker often claims everyone’s motives are always economic (and certainly they usually are) I don’t think I have to search very far to prove that’s not always the case. Judge Walker’s bonus, if he were in private practice, would be more than his actual salary, and yet there he sits on the bench. I took job because I saw the potential to do enormous good just by having a tiny positive impact on the lives of millions of people. Call me selfish, because I want to be happy and believe that doing enormous good is a reasonable way to achieve that goal.
I have to blog about this because the press isn’t doing its job very well is doing an amazing…ly poor job.
- First of all, this is arguably the worst data breach ever. It was, when it happened, the largest hack ever that involved Social Security Numbers. Why is it getting so little coverage and not being reported as such? Even before the SSN, etc compromise came to light, reporters were saying: ‘The implications of this for Ameritrade are . . . what is the word I’m looking for? Ah yes. Huge. This is a story that has, as we say, “got legs.” Stay tuned.’ Well, yes, hundreds of sites carried an AP article or two, and it did get the coverage I link to at right, and more, but I feel like I’m still waiting.
- BrokerNewsBlog reports, incorrectly, that the breach was in 1997, not from 2005 to 2007 (Archive).
- KETV news reported, incorrectly, that in September 2007, someone hacked into one of TD Ameritrade’s databases and stole customer information (Archive). In fact, the database hack had been reported to the company in October of 2005, and the subject of my 2006 lawsuit. (See here and here and this whole blog)
- A third of the press is still mis-reporting this as nothing more than a spam problem! This is true even though it’s undisputed (as the OSF and PRC have noted, as I mentioned above) that SSNs were compromised, by TD Ameritrade’s own admission.
- Where’s the investigative journalism? Who’s, other than me, is digging, poking around, asking TD Ameritrade, Mandiant, ID Analytics, FBI, SEC, etc. the tough questions, or any questions at all? No one has even asked me for any of the information or documents I have from the whistle-blower who has contacted me. My whistle-blower tells me that TD Ameritrade enjoys a good relationship with the trade press, and that has helped keep the real story hidden…
- Ira Winkler fails to report the most essential information, writing in Computerworld only that names, addresses, phone numbers and trading information were compromised – no mention of SSNs. He also got the details of the settlement wrong; the software is offered to all class members; it’s phone coaching that only the empty set of identified victims can get. Winkler was correct when he quoted judge Walker saying: “Penetration tests provide a reliable way for companies to detect the sort of security weaknesses that led to the Ameritrade breach.” and responded, simply: “That just isn’t true.” I’m glad I’m not the only one pointing this out. (I finally finished my long-overdue post on the Security Audit‘s settlement component! – where I discuss an FTC-negotiated breach settlement requiring 20 years of audits, differentiate taking and passing an audit, ISO 27001, etc.) Ira’s audit suggestions echo those I discussed in my CMC statement (see pages 8 & 10 of that document).
- New: Here’s how some in the industry are covering this.
- TD Bank is in hot, hot water over another breach. Clearly, they’ve done an adequate job shoring up their security. NOT!