Security Policies Should be Part of Normal Business Practices According to Federal Judge
A federal judge has rejected a proposed settlement by TD Ameritrade Inc. in a data breach lawsuit. That marks the second time in recent months that a court has weighed in on what it considers basic security standards for protecting data. The case stems from a 2007 breach that exposed more than 6 million customer records.
The federal judge did not find the proposed settlement to be "fair, reasonable, or adequate." Rather than benefiting those directly affected by the breach, Ameritrade's proposed settlement was designed largely to benefit the company. The judge described the additional security measures that Ameritrade proposed in the settlement as "routine practices" that any reputable company should be taking anyway and should be defined in their normal security policies and procedures.
In September 2007, Ameritrade said that the names, addresses, phone numbers, and trading information of potentially all of its more than 6 million retail and institutional customers at that time had been compromised by an intrusion into one of its databases. The stolen information was later used to spam those customers.
As part of an effort to settle claims arising from that incident, Ameritrade this May said it would retain an independent security expert to conduct penetration tests of its networks to look for vulnerabilities.
The company also offered to retain the services of an analytics firm to find out whether any of the data that had been compromised in the breach had been used for identity theft purposes. The company also said it would give affected customers a one-year subscription for antivirus and anti-spam software.