A federal judge has denied a proposed settlement of a class-action suit filed against TD Ameritrade Inc. for a 2007 data security breach that exposed its customers' personal information.
In his ruling in San Francisco last week, U.S. District Chief Judge Vaughn Walker cited concerns with the security measures offered by TD Ameritrade in the proposed settlement. The brokerage offered to retain an independent expert to conduct penetration tests to determine whether its information security system has vulnerabilities, hire ID Analytics to determine whether the breach resulted in identity theft for those affected by the incident, and also provide them with a one-year subscription or one-year renewal for an antivirus or antispam product.
The first two measures are security procedures any reputable company would conduct and don't benefit those affected by the breach, Walker said in a court filing Friday.
"While it is obvious that, as a large company that deals in sensitive personal information, penetration and data breach tests should be routine practices of TD Ameritrade 's department that handles information security, it is not clear that such tests benefit the class," he wrote. He added that he wasn't convinced the procedures - which he called temporary fixes - prove that "the company has corrected or will address the security of client data in any serious way, let alone provide any discernable benefits for the class."
The offer of security software also offers little benefit to customers affected by the breach, including those who already own such software or who use free anti-spam services, Walker said.
In September of 2007, TD Ameritrade disclosed that intruders broke into a database that included sensitive customer information; more than 6 million customers reportedly were affected. The company discovered the attack because some customers complained about receiving spam targeted TD Ameritrade customers.
Walker ordered both sides involved in the lawsuit to meet on Dec. 10 to discuss scheduling and other matters.