In re TD Ameritrade Accountholder Litigation

266 F.R.D. 418 | N.D. Cal. | 2009

ORDER

VAUGHN R. WALKER, Chief Judge.

This Document Relates to: All Actions

This is a class action against TD Ameritrade for a security breach that exposed TD Ameritrade accountholder private information to “spammers” and rendered the same information vulnerable to others. Doc # 60 at 1-6. The court granted preliminary approval of the class action settlement on May 1, 2009. Doc # 93. The parties now seek final approval of the proposed settlement pursuant to FRCP 23(e). Docs # 182-183. As discussed in greater detail below, the court DENIES final approval of the settlement.

I

Plaintiffs originally moved for preliminary approval of the class action settlement on May 30, 2008. Doc # 53. On June 13, 2008, the court denied approval for several reasons, including the failure of the parties to establish facts necessary for the court to evaluate the settlement and the attorney fee request (Doc # 61 at 2-3) and objections voiced by Matthew Elvey, one of the class representatives. At a hearing the previous day, Elvey had expressed numerous “reservations” about the settlement. Doc # 61 at 3.

On August 29, 2008, attorney Mark Chavez entered his appearance on behalf of Elvey. Doc # 71. Subsequently, Elvey submitted a memorandum opposing preliminary approval of the settlement. Doc # 73. Elvey argued that the proposed settlement inadequately compensated the plaintiffs for their injuries related to the security breach and mischaracterized the nature of the risks associated with the breach. Id at 6.

At a hearing on October 7, 2008, the court granted attorney Gregory Beck’s application to represent Elvey on a pro hac vice basis (Doc # 83) and asked both Chavez and Beck if they would be willing to represent the *420entire class in an effort to seek a more favorable settlement or to go to trial. Doc # 87 at 4-5. Both attorneys declined to do so. Id. Instead, Chavez and Beck offered to assist the parties in achieving adequate notice to the class. Id at 30.

TD Ameritrade submitted the proposed settlement terms and the proposed notice to be given to the class on October 20, 2008. Doc # 86. In return for the class dropping its claims against TD Ameritrade, TD Ameritrade offered to (1) post a warning on its website “regarding stock spam”; (2) “continue to retain independent experts” to test TD Ameritrade’s security vulnerabilities; (3) continue “account seeding” to determine whether unauthorized persons have acquired customer email addresses; (4) provide each settlement class member with a unique identifier number that can be used to obtain a one-year subscription to an anti-virus, anti-spam internet security product; (5) retain a company to perform an analysis to determine whether any incidents of organized misuse of personal information had occurred involving data in the TD Ameritrade database (four such analyses already had been performed) and to inform settlement class members whose personal information is discovered to be the subject of organized misuse; (6) donate $55,000 to specified cyber-security projects; and (7) pay claims administration and notice expenses for the settlement. Doc # 86, Exh 5 at 9-12.

On November 13, 2008, the Texas Attorney General submitted objections to the proposed settlement. Doc #93, Attach 1. The Texas Attorney General noted that approximately 415,089 Texans were included in the proposed settlement class and described four objections to the proposed settlement: (1) the proposed settlement agreement offered “no meaningful relief to the class members”; (2) the award of proposed fees to class counsel was excessive; (3) the proposed settlement failed to address the harm of identity theft adequately; and (4) the proposed release was too broad. Id. The Texas Attorney General contended that the settlement was essentially worthless because the “warning” to be placed on the TD Ameritrade website would largely go unseen by consumers most vulnerable to stock spam, the security measures TD Ameritrade agreed to conduct should have been conducted by “any reputable company” anyway and the coupon for security software was of little value because similar software was largely available to most internet users for free or at low cost. Id at 2. The Texas Attorney General also noted that the class members were to receive no monetary recovery while the proposed attorney fee award for class counsel was substantial—$1.87 million. Id at 2. The proposed settlement agreement, according to the Texas Attorney General, did not address adequately the potential harm to class members from identity theft. Id at 3. The Texas Attorney General further argued that the settlement agreement should make clear that the individuals who engaged in the unauthorized access are not “Released Parties,” and “Releasing Parties” should be amended to make clear that government entities such as the Texas Attorney General has not released any claims to relief related to this security breach. Id at 3-4.

On December 5, 2008, the Texas Attorney General’s office informed the court that it was “engaged in a promising dialogue about its concerns with counsel for the plaintiffs and the class.” Doc # 88-2 at 1. According to a supplemental filing by counsel for the plaintiffs, over a period of four months the parties held a series of discussions with the Texas Attorney General’s office addressing the objections to the proposed settlement outlined above. Doc # 90 at 2.

Then on March 2, 2009, the Texas Attorney General notified the court that the parties proposed a list of amendments to the proposed settlement agreement and notice to address the Texas Attorney General’s concerns. Doc # 90, Exh A at 2-3. These amendments included the following:

In the Settlement Agreement:
Broadening the carve-out for identity theft-related claims in the “Released Claims” section to ensure that Settlement Class Members are able to pursue future claims that arise due to identity theft;
Removing the language that purports to release claims that may be brought by a *421governmental entity and explicitly stating that such claims are not released; Excluding persons who participated in the security breach or assisted those who did from the definition of “Released Parties” and “Third Party Beneficiaries,” thereby preventing them from receiving any benefit or protection from the Settlement Agreement;
Ensuring that the opportunity for the Settlement Class Members to take advantage of the Trend Micro Internet Security Products granted under the Settlement Agreement is extended until January 1, 2010;
Including a definition of the term “organized misuse,” in order to make the Settlement Agreement more understandable, on its face, to a Settlement Class Member;
Amending the section regarding the “Voluntary Identity Theft Benefits” that TD Ameritrade may extend to Identified Class Members to: (1) eliminate confusion between that process and claims that may be brought in court, and (2) avoid the unintended release of such claims;
Under the Voluntary Identity Theft Benefits program, expanding the window of time for an Identified Class Member to respond to TD Ameritrade regarding the Member’s intention to seek such benefits from 30 days to 90 days;
Under the Voluntary Identity Theft Benefits program, clarifying that an Identified Class Member’s right to file suit against TD Ameritrade for identity-theft related harm is preserved up until the point that the Identified Class Member submits a claim in a binding arbitration process; and
TD Ameritrade agreeing to provide all Settlement Class Members, not just Identified Class Members, with dedicated customer support for relating [sic] to the benefits provided under the Settlement Agreement and questions concerning spam and identity theft for a full twelve months.
In the Notice and related correspondence:
Providing an explanation of the basis of the suit that includes the fact that TD Ameritrade’s computer database suffered a data security breach and exposed the Class Members to the risk of identity theft (as opposed to an “unauthorized acquisition”) so that Class Members have more information on which to base their decision to remain in the class, opt out, or object to the settlement.

Doc # 90, Exh A at 2-3. The Texas Attorney General’s office withdrew its objections to the proposed settlement provided that the above amendments were implemented. Id at 3.

On March 19, 2009, the parties submitted a supplemental statement with a revised proposed settlement agreement and forms of notice. Doe # 90. The revised proposed settlement agreement and forms of notice incorporated the amendments urged by the Texas Attorney General as a condition for withdrawing the objections on behalf of the state of Texas. Doc # 90, Exh B-E. The court granted preliminary approval of the class action settlement on May 1, 2009. Doc #93.

On August 20, 2009, the parties moved for final approval of the proposed settlement pursuant to FRCP 23(e). Docs # 182-183. On August 28, 2009, class member Richard Holober, identifying himself and naming Gretchen M. Nelson of the Kreindler and Kreindler firm, filed notices of availability of new class representative and substitute class counsel. Docs # 184-185. A hearing addressing the proposed settlement was held on September 10, 2009, at which time Nelson addressed the court and stated her availability and willingness to enter the ease as substitute class counsel. Doc # 187.

II

Federal Rule of Civil Procedure 23(e) requires court approval for the settlement of any class action. In order to be approved, a settlement must be “fundamentally fair, adequate and reasonable.” Torrisi v. Tucson Elec. Power Co., 8 F.3d 1370, 1375 (9th Cir. 1993) (quoting Class Plaintiffs v. Seattle, 955 *422F.2d 1268, 1276 (9th Cir.1992), cert, denied, 506 U.S. 953, 113 S.Ct. 408, 121 L.Ed.2d 333 (1992)), cert, denied, 512 U.S. 1220, 114 S.Ct. 2707, 129 L.Ed.2d 834 (1994). Because the purported benefits to the class remain the problematic element of the settlement, the court first will address whether in light of the objections concerning the purported benefits of the settlement, the proposed settlement agreement should be approved as fair, reasonable and adequate.

A

“Basic to [the process of deciding whether a proposed settlement is fair, reasonable and adequate] * * * is the need to compare the terms of the compromise with the likely rewards of litigation.” Protective Committee for Independent Stockholders of TMT Trailer Ferry Inc. v. Anderson, 390 U.S. 414, 424-25, 88 S.Ct. 1157, 20 L.Ed.2d 1 (1968). Class counsel contend that as a result of the novelty of plaintiffs’ claims, the likely rewards of litigation in this case appear modest. Doc # 183 at 12 (“Class Counsel are confident in the strength of Plaintiffs’ claims; however, they are also cognizant of the legal uncertainty in this litigation.”). But, even when considering the relative uncertainty of plaintiffs’ claims, it appears that the proposed settlement seeks to confer no discernible benefit upon the class.

Under the proposed settlement, TD Ameritrade agrees to: (1) retain an independent expert who will conduct penetration tests to determine whether TD Ameritrade’s information security system has any vulnerabilities; (2) retain ID Analytics to conduct an additional analysis to determine whether the data breach may have resulted in identity theft for any members of the settlement class; and (3) provide each class member with a unique identifier number that may be used to obtain a one-year subscription or a one-year renewal for an anti-virus, anti-spam internet security product. Docs # 90-92; 182.

Of these purported benefits, the first and second seem to benefit the company more than the class. The court’s concern is echoed by Elvey, who objects that “[t]he settlement does not require Ameritrade to adopt any new [permanent] security measures to remedy the problems giving rise to the lawsuit, or even to reveal what those security problems were and how it has fixed them.” Doc # 72 at 13.

Concerning the first purported benefit, the parties assert that the class is benefitted by penetration tests performed to determine whether TD Ameritrade’s information security system has any vulnerabilities. TD Ameritrade contends that this test will give class members “another object I’ve basis to have confidence that TD Ameritrade’s information security system is sound,” (Doc # 182 at 13), while class counsel argues that “[p]enetration testing is a reliable method to detect security weaknesses that would allow an outside hacker to penetrate databases such as the one at issue in this litigation.” Doc # 183 at 22.

Regarding the second pm-ported benefit, the parties state that the tests performed by ID Analytics would make class members aware if they were victims of identity theft (Doc # 182 at 13), at which time victims would have access to dedicated customer support “trained to help remediate any harm from identity theft” (Doc # 183 at 22).

To quote the Texas Attorney General’s former objection, these measures should be conducted by “any reputable company” anyway. Doc # 93, attach 1. While it is obvious that, as a large company that deals in sensitive personal information, penetration and data breach tests should be routine practices of TD Ameritrade’s department that handles information security, it is not clear that such tests benefit the class. Even if, in the words of the company, the tests will give class members “another objective basis to have confidence that TD Ameritrade’s information security system is sound,” confidence in this instance does not provide any real value to the class. In short, these two—very temporary—fixes do not convince the court that the company has corrected or will address the security of client data in any serious way, let alone provide discernable benefits for the class.

The third purported benefit, a one-year subscription or extension of anti-spam software, also confers little to no benefit upon *423the class. On this point, the Texas Attorney General initially argued that this software is of little value because similar software is available to most internet users for free or very little cost. Doc # 93, attach 1. Elvey builds upon this argument in his objection:

Although spam is only one aspect of this case, it is the target of the only relief of any possible value: a one-year subscription to Trend Micro Internet Security Pro anti-spam software. The provision of this software does not render the settlement fair. The Court has a responsibility “to ensure that the settlement provides real value” by offering the relief that the class will actually use. * * * Here, the settlement would leave many class members who already have anti-spam software or who use popular online email clients like Gmail, Yahoo!, and Hotmail that are free of charge and have anti-spam capabilities built in [with no discernable benefit]. Moreover, many class members will have already changed their email addresses, either because they have been deluged with spam related to the data breach or for some other reason [such as change of employment].

Doc #72 at 19 (citations omitted). Elvey’s objection correctly states that three broad groups of class members will receive no benefit from the software: Group one is comprised of those individuals who own anti-spam software. A one-year subscription for another anti-spam package would confer no real benefit to such class members, nor would a one-year “extension” in a situation in which a class member owned a similar software package of extended length. Group two is composed of class members who utilize antispam email services such as Gmail, Yahoo! or Hotmail. As a part of these services, spam messages are directed to a separate “spam” folder without the assistance of individually-acquired software. Group three is made up of those class members who, for one reason or another, changed email addresses. For these members, the software may not be valueless on paper, but they will no longer be able to use the software for its intended purpose: to block the fraudulent spam caused by Ameritrade’s alleged data breach.

TD Ameritrade summarily dismisses Elvey’s objection, arguing that since Elvey could not achieve his ultimate objective of receiving a large cash payment for the class if he continued to litigate, his objection is groundless. Doc # 182 at 17. Meanwhile, class counsel attempts to put a numerical figure on the cost of the software to TD Ameritrade. Doc # 183 at 14. But as class counsel acknowledges the standard is not how much money a company spends on purported benefits, but the value of those benefits to the class. Id. (citing O’Keefe v. Mercedes-Benz United States, LLC, 214 F.R.D. 266, 304 (M.D.Pa.2003)) (settlements should be valued according to their “benefit to the class and not the cost to defendant”). See also FRCP 23(h), 2003 Advisory Committee Notes (“Settlements involving nonmonetary provisions for class members also deserve careful scrutiny to ensure that these provisions have actual value to the class.”).

Furthermore, despite the parties’ best efforts, the fact that the Texas Attorney General was involved in the process of reaching the proposed settlement does not convince the court that the proposed settlement is fair, reasonable and adequate. While the Texas Attorney General’s office brought a well-needed adversarial component to these proceedings, its efforts largely resulted in changes to the nature and scope of the notice, rather than altering the purported benefits to the class.

In deciding to participate in these proceedings, the Texas Attorney General’s office cited its concern that “no meaningful relief [was to be provided] to the class members.” Doc # 93, attach 1. The court shares this concern. From the perspective of the class, the worst-case scenario may be realized if following this denial of final settlement approval the case were to fail on dispositive motion. But in that event, class would end up essentially in the same situation it would be if final settlement approval were approved: with nothing. Because the purported benefits to the class do not warrant settlement approval, the court DENIES final approval of the proposed settlement.

*424III

Denial of final approval of the proposed settlement presents an unusual situation. The May 1, 2009 order of preliminary approval granted “provisional certification of the settlement class” and confirmed Kamber Edelson LLC, Parisi & Havens LLP, Scott A Kamber and Ethan Mark Preston (“Kamber et al”) as lead counsel. Doc # 93 at 10. As the certification was provisional and preliminary to final approval, denial of final approval abrogates provisional class certification and the interim appointment of Kamber et al as class counsel. Hence, no class has been certified and no appointment of class counsel has been made under FRCP 23(g).

On August 28, 2009, class member Holober suggested Gretchen M. Nelson of the Kreindler and Kreindler firm to the court as substitute class counsel. Docs # 184-185. The “selection and activity of class counsel are often critically important to the successful handling of a class action.” FRCP 23(g), 2003 Advisory Committee Notes. The court has considered Nelson’s experience in handling class actions and other complex litigation, her work in investigating potential claims in the action, her knowledge of the applicable law and the resources she will commit to representing the class. FRCP 23(g)(1)(C). Having considered these factors, it appears that Nelson is fully capable of fairly and adequately representing the interests of a class of TD Ameritrade account-holders. FRCP 23(g)(1)(B). The court recognizes that the denial of final approval changes how this litigation will proceed. In order to give the parties and counsel an opportunity to consider their respective positions and present their views to the court, this order schedules a case management conference in the near future.

IV

In light of the court’s reservations about the purported benefits of the proposed settlement, the court cannot find that the proposed settlement is fair, reasonable or adequate. Final approval of the proposed settlement, (Docs # 182-183) therefore is DENIED.

IT IS FURTHER ORDERED that the provisional class certification and lead counsel appointment as part of this court’s May 1, 2009 order are set aside.

IT IS FINALLY ORDERED that on December 10, 2009, at 3:30 PM, Kamber et al, Nelson and TD Ameritrade are to attend a ease management conference to discuss scheduling and other matters, including the possible addition of Nelson to these proceedings as substitute counsel.

IT IS SO ORDERED.