TD Ameritrade Settles Class Action Data Breach Suit for up to $6.5 Million
The U.S. District Court for the Northern District of California approved settlement of a class action suit against TD Ameritrade, alleging various claims due to a data security breach. The court approved the settlement, which will provide affected individuals with between $2.5 and $6.5 million, and includes attorney’s fees and expenses.
TD Ameritrade Admits Data Breach
In May 2007, Matthew Elvey filed a class action suit against TD Ameritrade Inc., claiming that it improperly allowed third parties to access his and other customers’ e-mail addresses, resulting in their receiving spam. Ameritrade confirmed the data breach and notified its customers in September 2007. Elvey and another plaintiff alleged violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), 15 U.S.C. § 7704(a)(1), and state-law causes of action. Their lawsuit was consolidated with a class action suit alleging violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, and several state-law claims.
Minimum of $2.5 Million
In May 2008 and October 2009, the court denied preliminary approval of proposed settlement agreements, finding that they provided insufficient benefit to class members. In December 2010, the court granted preliminary approval of a settlement class defined as “All persons who are or were accountholders or prospective accountholders of the Company and who provided physical or email addresses to the Company on or before September 14, 2007.” TD Ameritrade at 4. The third proposed settlement met with the court’s approval, because, unlike the prior two, it provided monetary compensation to the class.
Under the settlement, TD Ameritrade agreed to pay the class a minimum of $2.5 million and a maximum of $6.5 million, based on the number of claims submitted. If the claims exceed the maximum, then the individual payout will be proportionately reduced, and class counsel will receive no attorneys’ fees, which otherwise would be capped at $500,000. If the submitted claims amount to less than the minimum, then Ameritrade will donate the balance to non-profit privacy organizations agreed on by the parties.
Class members will receive $50 to $2,500 per claim, as follows: $50 for identity theft on an existing credit or debit card, $250 for identity theft on another account, and up to $1,000 (including the $250) for unreimbursed losses. Class members will have to submit proof of identity theft, such as a police report. TD Ameritrade, at its own expense, will retain an independent evaluator to assess its compliance with data security standards, and to correct any identified deficiencies. The court found that the requested attorneys’ fees of $500,000—contingent on funds available after payment of all claims—were reasonable under both the lodestar and percentage-of-fund methods, as were the requested costs of $27,808.
Weakness of Claims Support Settlement
As the court explained, its discretion in approving a final settlement requires balancing a number of factors, including the strength of the plaintiffs’ case and the risk, expense, complexity, and likely duration of further litigation. The court observed that federal courts have been skeptical of private class actions for data breaches, especially when the only alleged injury is the receipt of spam or increased risk of identity theft, as in this case. For example, “receipt of spam by itself . . . does not constitute sufficient injury entitling [the plaintiff] to compensable relief.” TD Ameritrade at 8 (quoting Cherny v. Emigrant Bank, 604 F. Supp. 2d 605, 609 (S.D.N.Y. 2009)). For a discussion of this case, see Bank’s Disclosure of Customer’s E-Mail Address to Spammers Not Actionable Without Allegation of Actual Injury, Bloomberg Law Reports — Privacy & Information, Vol. 2, No. 5 (May 2009).
The court noted that “defendants in data breach cases have been successful in thwarting plaintiffs’ efforts to obtain class certification.” Id. at 8 (citing In re TJ Cos. Retail Sec. Breach Litig., 246 F.R.D. 389, 397 (D. Mass. 2007). The court found the risk in proceeding with litigation weighed in favor of approving the settlement, “[g]iven the dearth of legal authority supporting Plaintiffs’ claims.” Id.
The court also found that the factors of expense, burden, and duration favored the settlement, in that a trial based on an alleged computerized data breach would necessitate costly expert testimony by both parties. Most importantly, the court found, the settlement was a “vast improvement” over previous proposals, because it reduced attorney’s fees and provided plaintiffs with discernable benefits. Id. at 9. Accordingly, the court approved the final settlement and dismissed the action.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
©2011 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.