Certegy offers to settle lawsuit stemming from theft of data on 8.5M consumers

Check processing firm looks to end class action filed after DBA downloaded and sold info

In a move designed to avoid the time and costs associated with a protracted legal battle, Certegy Check Services Inc. has offered to settle a class-action lawsuit filed on behalf of 8.5 million people whose personal data was compromised by an insider theft that the company disclosed last July.

The 52-page settlement was proposed by St. Petersburg, Fla.-based Certegy on Jan. 9 but just came to light this week. It currently is under review by a U.S. District Court judge in Tampa.

Certegy, a check-processing company that is a subsidiary of Fidelity National Information Services Inc., said last summer that a rogue database administrator had illegally accessed and then sold the personal data of about 2.3 million consumers to data brokers. The company later upped the number of compromised accounts to 8.5 million in filings made to the U.S. Securities and Exchange Commission in August.

If accepted, Certegy's proposed settlement would give qualifying members of the plaintiffs class one year's worth of free credit monitoring services and $10,000 worth of identity theft insurance coverage, except for residents of New York, where the third-party credit monitoring firm being used by Certegy doesn't offer the insurance coverage. The settlement would also provide up to two year's worth of free bank account monitoring services for individuals whose banking information may have been compromised in the incident.

In addition, consumers who can show that they were victimized by identity theft as a result of the breach will be eligible for certain "out-of-pocket" costs, such as those resulting from bank overdraft fees, according to a copy of the settlement sent to Computerworld by Certegy.

But there are several caveats to that particular offer. For instance, Certegy has capped the total amount of money it will pay for identity theft claims to $4 million, which will be disbursed on a first-come, first-served basis. Claims have to be filed within 90 days of the discovery of an identity theft incident or before March 31, 2011 — whichever comes first. And the maximum amount that an individual can recover is $20,000.

Even then, people who sign up for a credit monitoring service with insurance coverage, such as the one offered by Certegy, will need to exhaust their coverage limits before they can file an identity theft claim with Certegy. And anyone who has declined such coverage will be eligible only for a maximum payment of $10,000 for any costs related to identity theft.

Certegy said that as part of the settlement, it also is willing to set aside up to $1 million to reimburse consumers for expenses they might have incurred thus far as a result of the breach. For instance, people who can show reasonable proof will be reimbursed up to $15 per month to a maximum of $180 for any credit monitoring services they have paid for, the company said. They also can claim up to $40 for the cost of opening up new checking accounts. Here again, though, the reimbursements will be available only on a first-come, first-served basis.

Avivah Litan, an analyst at Gartner Inc., welcomed Certegy's offer to monitor bank accounts for affected customers. But she said the company's proposed reimbursements for identity theft don't measure up to what is really needed.

"The identity-theft reimbursement is where the rubber hits the road, and their proposal should not have the limits it currently does," Litan said. "If they're responsible, they should reimburse, period."

She added that the $4 million cap set by Certegy in the proposed settlement is likely to be far too little given the number of potential victims. "What happens," Litan said, "if the money gets used up? Consumers are going to be out of luck."

On the other hand, the bank account monitoring offer is a good step, according to Litan. "It helps fill a noticeable gap in consumer account monitoring services," she said. "Right now, there are no services that consumers can use to alert them to suspect activity against bank accounts, so this will be useful."

Certegy discovered the data theft last May, when a retailer reported a correlation between check transactions and telephone and direct-mail marketing solicitations received by some of its customers. William G. Sullivan, a Florida resident who worked as a senior database administrator at Certegy, was arrested for allegedly downloading the information and selling it to another person, who in turn sold it to data brokers.

Sullivan, who was fired by Certegy after the scheme was uncovered, pleaded guilty to federal fraud charges in November and was scheduled to be sentenced today. He allegedly began downloading the information in 2002 and was paid about $580,000 for the data, which included names, addresses, dates of birth, phone numbers, checking account numbers, credit and debit card numbers, and payment card transaction data. Ironically, Sullivan's duties at Certegy included defining and enforcing data access rights.

Copyright © 2008 IDG Communications, Inc.

  
Shop Tech Products at Amazon