Court Approves TD Ameritrade Data Breach Settlement — In re TD Ameritrade

[Post by Venkat Balasubramani]

In re TD Ameritrade Accountholder Litigation, 07-2852 (N.D. Cal.; Dec. 20, 2010) (Order granting preliminary approval of settlement)

A class action lawsuit arising out of a TD Ameritrade data breach looks like it’s winding its way to resolution. Judge Walker granted preliminary approval to the class settlement, which:

(1) requires payment of between $2.5 to 6.5 million to the class – each claimant is “entitled to seek cash benefits ranging from $50 to $2,500, depending ‘on the nature of the account affected by the identify theft and the type of expense and unreimbursed loss incurred . . . .'”;
(2) sets a maximum of $500,000 for attorney’s fees; and
(3) requires TD Ameritrade to engage a third party auditor to assess its data security practices.

[Clarification/correction: Matthew Elvey emails to note that class members are not automatically entitled to compensation. Only class members who have been victims of “identity theft” are entitled to compensation, based on a range of factors. Interestingly, I may be missing something, but don’t see a definition for “identity theft” in the settlement agreement. A common sense interpretation would mean people whose data has actually been misused. Another possible framework would have been to allow compensation for people whose data was compromised, regardless of whether the data was misused. I’ve emailed class counsel for some clarification on this and I’ll post an update when I hear back.] The precise amount of each payout will be determined by the claims administrator based on guidelines contained in Section 3 of the settlement agreement. If the amounts claimed by the class are less than $2.5 million, the difference will be paid to certain identified public interest organizations. (Access a copy of the settlement agreement here.)

The lawsuit has a tortured procedural history – the wranglings and objections are reminiscent of the Beacon class action, and involve some of the same players and issues (e.g., Kamber Edelson as class counsel, no cash compensation to class members). Judge Walker previously rejected the class settlement (in October 2009) in an order that recounts some of these wranglings. (Access a copy of Judge Walker’s previous order rejecting the proposed class settlement here.)

As Judge Walker’s previous order notes, the previous settlement terms proposed by TD Ameritrade principally required TD Ameritrade to: (1) post a warning regarding “stock spam” on its website; (2) retain an independent expert to audit its security practices; (3) retain a consultant to see if any of the lost data had been misused in an “organized” manner and inform any affected class members of this misuse; (4) give out a free one-year subscription to class members to an anti-virus, anti-spam security product; and (5) donate $50,000 to “specified cyber-security projects.” The original proposed settlement also proposed a payment of fees to class counsel in the amount of $1,870,000. One of the class representatives (Matthew Elvey) expressed reservations that the proposed settlement “inadequately compensated plaintiffs for their injuries . . . and mischaracterized the nature of the risks associated with the breach.” In addition, the Texas Attorney General also voiced its objections, arguing among other things that the proposed settlement “offered no meaningful relief to the class members,” and the award of proposed fees to class counsel was “excessive.” The parties incorporated some changes to the class settlement in response to the Texas AG’s objections, but even as revised, Judge Walker rejected the proposed settlement, noting that the influence of the Texas AG largely “resulted in changes to the nature and scope of the notice, rather than altering the purported benefits to the class.” Judge Walker also appointed Gretchen Nelson as substitute class counsel, replacing Kamber Edelson (whom he had provisionally appointed when he initially approved the original settlement). Elvey’s relationship with Kamber Edelson looks like it ended less than amicably, as you can see from one of his blog posts here. In any event, it looks like new class counsel was appointed and re-negotiated the terms of a settlement which ended up looking acceptable from Judge Walker’s standpoint. (Looks like Elvey still objects to the terms of the proposed settlement.) [Clarification/correction: Jay Edelson emails to note that Kamber Edelson is now two different firms (Edelson McGuire and KamberLaw) and that Scott Kamber was not “kicked off the case.” With respect to this point, I think it’s worth reproducing the court’s language in full:

The May 1, 2009 order of preliminary approval granted “provisional certification of the settlement class” and confirmed Kamber Edelson LLC, Parisi & Havens LLP, Scott A Kamber and Ethan Mark Preston (“Kamber et al”) as lead counsel. Doc #93 at 10. As the certification was provisional and preliminary to final approval, denial of final approval abrogates provisional class certification and the interim appointment of Kamber et al as class counsel. Hence, no class has been certified and no appointment of class counsel has been made under FRCP 23(g). On August 28, 2009, class member Holober suggested Gretchen M Nelson of the Kreindler and Kreindler firm to the court as substitute class counsel. . . . The court has considered Nelson’s experience in handling class actions and other complex litigation, her work in investigating potential claims in the action, her knowledge of the applicable law and the resources she will commit to representing the class. FRCP 23(g)(1)(C). Having considered these factors, it appears that Nelson is fully capable of fairly and adequately representing the interests of a class of TD Ameritrade accountholders.

Kamber remains a part of the case and his name is on the settlement agreement as well. That said, readers can come to their own conclusions as to what the court intended.]

We’ve blogged a bunch about data breach cases, mostly involving the rejection of data breach claims due to the absence of a showing of damages. There’s a larger debate as to whether plaintiffs are harmed and what courts should require of such plaintiffs. I have a post on this that’s been in the hopper for a couple of months now, and I’ll get around to posting on it soon. But in the meantime, it’s interesting to note that repeatedly, plaintiffs bring data breach class actions and their lawyers are quick to suggest a recovery which doesn’t involve payment of any significant compensation to the class (but which of course include hefty attorney’s fees awards). The Facebook Beacon (“Beacon Class Action Settlement Approved — Lane v. Facebook“) and Google Buzz (“Google Settles Buzz User Privacy Litigation“) settlements both fit into this category. It’s nice to see courts taking a closer look at these settlements. I wonder whether Judge Walker’s insistance on some concrete benefit to the class members and discussion of the reduced fees will set a precedent for future lawsuits like this one. Is increased scrutiny likely for these types of settlements? The Facebook Beacon settlement is on appeal to the Ninth Circuit and raises some issues that are similar to the ones raised in this case. It will be interesting to see what happens with it.

Related links:

Trials and Tribulations” (Matthew Elvey’s website where he chronicles the path of this litigation, including his falling out with Kamber Edelson)

Ameritrade Hack Settlement: $2 Per Victim, $1.8 Million for Lawyers” (one of several articles at Threat Level)

TD Ameritrade Account Holder Litigation, Case No. C 07 2852 VRW” (Class Action Website)

Interview: Scott Kamber On His ‘Spate’ Of Lawsuits Over Internet Privacy” (paidContent/Joe Mullin)

Earlier data breach posts:

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

Two More Courts Close the Doors on Data Breach Plaintiffs

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

The [Non]enforceability of Privacy Promises–Pinero v. Jackson Hewitt

Acxiom Not Liable for Security Breach

When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue