NEW: You can review and comment on the key documents, which I’ve posted in editable wiki form at http://caringaboutsecurity.wikispaces.com! Cool, huh?(I’ve not posted the less important documents to the wiki. Just exhibits A, F, and G for now.) Please take a look and provide feedback.
On December 9, 2010, I filed and argued in court against the motion for preliminary approval:
Elvey_Response_to_Kreinder-TDA_offer.pdf describing our concerns. I’d highlight them thusly: We pushed for an effective audit. This settlement proposal notice is misleading and poorly publicized, and so cannot be fair. It has an audit component that to the untrained or hasty eye is meaningful compensation, but to the security expert or careful reader is security theatre that “does not require Ameritrade to adopt any new permanent security measures to remedy the problems giving rise to the lawsuit, or even to reveal what those security problems were and how it has fixed them.”
I also filed and argued for a motion to unseal the secret deposition:
Motion_to_Unseal.pdf. I had to rush to get these out; the hearing was originally scheduled for December 23rd.
If I’d had more time, I’d have presented this argument for the motion to unseal: Essentially, there’s a major inconsistency with respect to the risk of ID theft. Based on the information provided to me by the whistleblower, I believe that a claim that TD Ameritrade has found no evidence linking the data breach to identity theft attempts is untrue. And yet, the settlement states “TD Ameritrade has no evidence linking the data breach to instances of identity theft”. So I conclude that either the settlement is inconsistent with the deposition, or the deposition contains untrue or highly misleading statements that have induced the attorneys working on behalf of the class to agree to a settlement that misleads the class as to the nature of the risk of identity theft. They don’t have the whistleblower’s information, or the deposition. I also would have argued that proposed class reps and counsel should receive a copy of all reports from security firms ID Analytics and Mandiant. The whistleblower has made it very clear that TD Ameritrade does not have evidence that the hackers never took social security numbers.
In court, Judge Walker asked me if I was aware that I could opt out. Of course I am, but I wish I’d added that I spoke in court because I filed my motion and fight this case on behalf of the class, and take my duty to represent that class seriously; whether the court has recognized the class yet, or me as its rep, that is still my legal obligation.
Originally Published on: Nov 18, 2010:
These filings are in response to the latest proposed settlement up for preliminary approval,
Unfortunately, the settlement papers were not properly filed, so I do not have proper (searchable) PDFs, but I am pushing to have this rectified (don’t hold your breath though).
(Yes, 4 exhibits appear to have been filed 3 times!)
229.CERTIFICATE_OF_SERVICE.pdf is unimportant; it’s apropos Bob Kriss, apparently a luddite attorney representing TD Ameritrade who has email (“Robert J.Kriss” ) but is too clueless to get with the program and register properly for the Court’s ECF system, as is REQUIRED by General Order 45, which provides at Section IV (A) that “Each attorney of record is obligated to become an ECF User and be assigned a user ID and password for access to the system upon designation of the action as being subject to ECF.”* and yet, amazingly, has represented some of the world’s largest technology companies!
*as quoted in Case 3:06-cv-02169-MHP Document 20.
“News” coverage this time around is on a par with last time.
The AP’s Josh Funk mis-reported on the morning of November 16, 2010 that all class members could get at least $50! The story has since been quietly corrected. (Most class members would get $0.) The story still sometimes appears with the doubly-erroneous subtitle “New TD Ameritrade data theft settlement offers people $50-$2,500 for ID theft in 2007 breach”.
It seems Ameritrade’s PR has been working overtime, and there’s no bar low enough that they won’t step under it.
Sarah Pierce, a “reporter” for topclassactions.com mis-reported on November 25th: “Social Security Numbers, user names and passwords were not compromised, according to TD Ameritrade’s investigation into the matter.” This is simply false (where does this misinformation come from? Pre-written ‘news’ articles from Ameritrade’s PR, like the ? Social Security Numbers were compromised. I’ve detailed the evidence proving the utter falsehood of this claim that Ms Pierce has echoed, as has has the PRC. I’ve discussed this news problem here and in court filings, explaining why datalossdb and the PRC changed their tune, to correctly report that Social Security Numbers were compromised, according to TD Ameritrade’s own reports. Ms Pierce also mis-reports: “A final approval hearing on the new Ameritrade Data Breach Class Action Lawsuit Settlement will be held December 23.” This is not true either; no hearing date has been set for a final approval hearing; the settlement hasn’t even been preliminarily approved; the judge is considering whether to do so.
NEW: AlertBoot’s Sang Lee mis-reported that clients only had their “immaterial” personal information, namely e-mail addresses, stolen! Sang Lee reinforces the point I made to Judge Walker last week (as exemplified by docket entries 110, 112, 116, 117, 161, and 178): readers are routinely misled by the proposed notice into thinking that just addresses were stolen, not only by being another glowing example, but also by highlighting the difference in severity between an SSN compromise and an email address compromise; Judge Walker’s comment in court was ‘same difference’, or something to that effect.
It’s interesting to compare this proposed settlement to the settlement disclosed at www.dadsettlement.com. The latter seems to provide class members with a much better deal: There’s no per-class-member cap on claimed damages, and every class member is offered years of credit monitoring protection.
NEW: Eric Goldman’s very popular Technology & Marketing Law Blog has also mis-reported the minimum class member compensation as $50 instead of $0. It has issued a couple corrections and clarifications to its interesting, unique article on this settlement proposal. It’s even more interesting with the corrections, and will get even more interesting than that when (or if) class counsel responds to his inquiry. Class counsel has become unresponsive again; I’ve twice sent the same follow-up email regarding my complaint that the Claim Forms (online and for paper-filing) were not made available until well after the notices had been sent out, (and the latter is STILL not available, which are a superbly evil way to BOTH decrease payouts to the class, AND increase payouts to class counsel). I have received no response!
NEW: The Privacy Rights Clearinghouse has also mis-reported the minimum class member compensation as $50 instead of $0; correction is in process.
NEW: I think the main improvement is that now at least some class members get a major benefit. Unfortunately, it’s only a tiny fraction who will get any money. The main hurdles are:
- Learn of the settlement (most members will not learn of it, as the only MOST likely way they’ll learn of it is an email to an email address that’s years old and will probably go into spam folders), and then understand it (the 3 notices and claim form are long and complicated).
- Be eligible for compensation. If you’ve not been an Identity Theft victim, you get $0.