Judge says TD Ameritrade's proposed security fixes aren't enough
Court rejects company's proposed class-action settlement for 2007 data breach
Computerworld - A federal judge's rejection of a proposed settlement by TD Ameritrade Inc. in a data breach lawsuit marks the second time in recent months that a court has weighed in on what it considers to be basic security standards for protecting data.
U.S. District Court Judge Vaughn Walker in San Francisco yesterday denied final approval of a settlement that had been proposed by TD Ameritrade in May to settle claims stemming from a 2007 breach that exposed more than 6 million customer records.
In arriving at his decision, Walker said the court didn't find the proposed settlement to be "fair, reasonable or adequate." Rather than benefiting those directly affected by the breach, Ameritrade's proposed settlement was designed largely to benefit the company, Walker wrote in his 13-page ruling.
In September 2007, Ameritrade announced that the names, addresses, phone numbers and trading information of potentially all of its more than 6 million retail and institutional customers at that time had been compromised by an intrusion into one of its databases. The stolen information was later used to spam those customers.
As part of an effort to settle claims arising from that incident, Ameritrade this May said it would retain an independent security expert to conduct penetration tests of its networks to look for vulnerabilities.
The company also offered to retain the services of an analytics firm to find out whether any of the data that had been compromised in the breach had been used for identity theft purposes. The company also said it would give affected customers a one-year subscription for antivirus and antispam software.
It was those offers that the judge dismissed as too meager. He described the additional security measures that Ameritrade proposed in the settlement as "routine practices" that any reputable company should be taking anyway.
Penetration tests provide a reliable way for companies to detect the sort of security weaknesses that led to the Ameritrade breach, Walker said. But "as a large company that deals in sensitive personal information, penetration and data breach tests should be routine practices of TD Ameritrade's department that handles information security," he wrote.
The two "very temporary fixes do not convince the court that the company has corrected or will address the security of client data in any serious way, let alone provide discernible benefits," he noted.
A TD Ameritrade spokeswoman expressed disappointment at the ruling, especially considering the amount of time spent working to arrive at the proposed settlement. "We felt it was fair and reasonable and would have provided benefit to members of the class," she said.
Both sides are scheduled to meet in court again in December to try to figure out how to move forward. "There are a number of options available to us," the spokeswoman said, though she declined to elaborate.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!