Judge says TD Ameritrade's proposed security fixes not enough
A federal judge's rejection of a proposed settlement by TD Ameritrade Inc. in a data breach lawsuit marks the second time in recent months that a court has weighed in on what it considers to be basic security standards for protecting data.
U.S. District Court Judge Vaughn Walker in San Francisco yesterday denied final approval of a settlement that had been proposed by TD Ameritrade in May to settle claims stemming from a 2007 breach that exposed more than 6 million customer records .
In arriving at his decision, Walker said the court didn't find the proposed settlement to be "fair, reasonable or adequate." Rather than benefit those directly affected by the breach, Ameritrade's proposed settlement is designed largely to benefit the company, Walker wrote in his 13-page ruling.
In September 2007, Ameritrade announced that the names, addresses, phone numbers and trading information of potentially all of its more than 6 million retail and institutional customers at that time had been compromised by an intrusion into one of its databases. The stolen information was later used to spam its customers.
As part of an effort to settle claims arising from that incident, Ameritrade this May said it would retain an independent security expert to conduct penetration tests of its networks to look for vulnerabilities.
The company also offered to retain the services of an analytics form to find out whether any of the data that had been compromised in the breach had been used for identity theft purposes. The company also said it would give affected customers a one-year subscription for antivirus and antispam software.
It was these offers that the judge dismissed as too meager. He described the additional security measures that Ameritrade proposed in the settlement as "routine practices" that any reputable company should be taking anyway.
Penetration tests provide a reliable way for companies to detect the sort of security weaknesses that led to the Ameritrade breach, Walker said. But "as a large company that deals in sensitive personal information, penetration and data breach tests should be routine practices of TD Ameritrade's department that handles information security," he wrote.
The two "very temporary fixes do not convince the court that the company has corrected or will address the security of client data in any serious way, let alone provide discernable benefits," he noted.
A TD Ameritrade spokeswoman said the company would provide its response to the judge's ruling soon.
The case is the latest to illustrate a growing willingness by courts around the country to consider claims of negligence and breach of contract brought by individuals against companies for failing to protect sensitive data.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
data breach
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
