What made the Ameritrade data breach particularly memorable was not that 6.3 million customers had their personal info compromised and inboxes stuff with spam as a result. No, what made it memorable was that the company had received multiple warnings from IT professionals over more than a year that its database had been compromised — yet took no action before the bits hit the fan last fall.
And here’s what will make the settlement of a resultant class-action lawsuit memorable, provided a judge overcomes his nausea and eventually blesses the deal: Of the nearly US$2 million Ameritrade would pay for its sins, almost all of it would wind up in the pockets of plaintiffs’ lawyers.
What would those victimized get?
A year’s worth of spam blocking service.
According to an account in Wired: “U.S. District Judge Vaughn Walker was concerned whether the deal, which gives more than $1.8 million in legal fees to the plaintiff’s attorneys, would provide any real benefits to the class of online brokerage customers.”
The judge had other concerns as well, including a contention from lead plaintiff Matthew Elvey that he had been coerced into accepting the terms of the deal despite his belief that it was inadequate.
Recap: Swimming pools and private-school tuition for the lawyers and their families; warm bucket of spit for Ameritrade customers whose inboxes ballooned with spam after the dam broke.
Of course, this is pretty much the way things go in class-action lawsuits, where the individual members of the class incur damages that are relatively minor and/or difficult to quantify. But it’s still a less-than-satisfying outcome for those on the receiving end of Ameritrade’s sloppiness and stubborn refusal to listen to what experts were telling them.
And none of this comes as much of a surprise to Josh Fritsch, an IT security veteran who was among those sounding alarms in early 2006 that Ameritrade had a problem. Fritsch was also among the Ameritrade customers victimized, but not a party to the lawsuit.
“In the end, [the suit is] not going to matter much,” Fritsch tells me. “Any real compensation for carelessness with personal data will never be offered, and the token concessions which are made are basically useless.
“If Ameritrade were serious about making amends for their error [and ignoring the error for so long] they would publicly disclose the full results of their investigation, thus ‘proving’ their claim that there was no real problem,” he adds. “They would also offer a choice of free service from them [such as free trades] or free service with a competing broker [at Ameritrades’ expense] if the victim elects to find service elsewhere. This would rebuild trust, prove honesty, and demonstrate a sense of caring for their clients.”
Likelihood of that happening?
“Don’t hold your breath.”
Score one for the EFF
In a significant pushback against music industry efforts to expand copyright control at the expense of consumers and the so-called “first sale doctrine,” a California judge has ruled that recipients of promotional CDs are free to do with them as they please, up to and including reselling them on eBay.
In other words, what would seem obvious to the layman, also happens to be the law. The long-running case involved Universal Music Group and an eBay merchant who would scoop up promo CDs from second-hand shops and industry types, then resell the discs. UMG fought tooth and nail, but the judge says the reseller was within his rights.
The Electronic Frontier Foundation was front and centre fighting this skirmish.