In re. Ameritrade Accountholder Litigation: Court Rejects Class Settlement He Viewed as Providing Members of Plaintiff Class with No Real Benefits
On October 23, 2009, Judge Vaughn Walker did something that doesn't happen very often. He rejected final approval of a class action settlement that was opposed by less than .001% of the members of the plaintiffs' class. The reason: he had come to believe that while the settlement would cost Ameritrade millions, and pay $1.87 million to the plaintiffs' counsel, it ultimately provided the plaintiffs themselves with no real benefits.
The case is the In re TD Ameritrade Accountholder Litigation, N.D. Cal. C-07-2852, a class action that was originally filed in 2007 regarding an allegedly long-term data security breach at Ameritrade. Ameritrade is a well-known brick and mortar and on-line stock broker, whose commercials star Sam Waterston of Law and Order fame.
In October 2006, Ameritrade customer Matthew Elvey, who graduated from Yale with a B.S. in computer science and mechanical engineering, and works as a website infrastructure consultant (as he describes his business, see his bio at http://www.elvey.com/) decided to test Ameritrade's data security system. So he provided Ameritrade with a unique email address that he had never provided to any other person. In November 2007, Elvey allegedly began to receive stock spam directed to this secret address. The spam allegedly touted low-priced, speculative stock of smaller companies that are traded over-the-counter, and was part of stock "pump and dump" schemes.
Elvey filed a class action against Ameritrade in 2007. The complaint focused on Ameritrade's Privacy Statement which allegedly told customers that "Ameritrade does not sell, license, lease or otherwise disclose your personal information to any third party for any reason . . . " According to Elvey's complaint, the "spam received by Plaintiffs was not consistent" with these representations.
The Elvey suit was later consolidated with a class suit filed by lead plaintiff Brad Zigler. The combined class action sued Ameritrade on breach of fiduciary duty, CFAA, and Nebraska and California unfair trade practices grounds. The plaintiffs claimed that Ameritrade had breached its duties to them by knowingly failing to correct defects in its security system and by failing to disclose the security breach that had led to the spam attacks on its customers. The plaintiffs claimed that they were damaged by "losing the benefit of the bargain on Ameritrade's brokerage fees, which were premised, in part, on Ameritrade's compliance with the privacy statement . . . ."
While TD Ameritrade filed a motion to dismiss the original Elvey complaint -- a motion that was never heard -- it did not file a similar motion for the consolidated complaint. Instead, it began settlement negotiations with the Plaintiffs. This resulted, in October 2008, with a proposed settlement which released Ameritrade for any damage claim, "of any kind," based on "any legal theory whatsoever," that "is, has been, or could have been asserted by" a member of the settlement class for: (i) an unauthorized disclosure of their information by Ameritrade, (ii) their receipt of SPAM e-mail and (iii) misrepresentations in Ameritrade's privacy statement. The settlement applied to any person who had provided Ameritrade with a physical or email address on or before September 14, 2007. It did carve-out a right for individuals to file identity theft claims on their own behalves -- but not as part of a class action.
In exchange, Ameritrade agreed to (i) to post a warning regarding stock spam in its website's "Security Center" page. The warning was on four different occasions for a one-week period each, (ii) to "continue to retain" experts to perform bi-annual "penetration tests" of Ameritrade's security system through December 31, 2009, (iii) to "continue the practice" of account seeding, another system security test, through June 30, 2009, (iv) to provide each class member with a "unique identifier that may be used to obtain a one year subscription or one-year renewal for an anti-virus, anti-spam internet security product, and (v) to provide a mechanism for settling class members to pursue individual claims for identity theft with Ameritrade if its security experts found evidence of widespread identity theft from the data breach and (vii) to pay $55,000 to two Internet security projects.
The settlement also proposed to pay the four lead plaintiffs sums reportedly ranging from $1,000 to $10,000. The other 6 million members of the plaintiffs' class were to receive no cash payments. The settlement also proposed to pay plaintiffs' counsel $1,870,000 in attorneys fees.
After the proposed settlement was filed with the Court in October 2008, the Attorney General for the State of Texas objected. After a lengthy negotiation with the Texas Attorney General, a revised settlement was submitted in March 2009 that dealt with a number of his objections. These changes did not affect the major terms of outlined above. After the time for notice to the plaintiff class and objections had passed, in August 2009, the parties moved for final approval of the settlement.
Unfortunately for the plaintiffs' counsel, they were unable to keep one very important plaintiff on board with the settlement. That plaintiff was Matthew Elvey. In the summer of 2008, Elvey had a falling-out with his counsel. This falling-out occurred shortly after the class actions were consolidated, suggesting that Elvey's problems were caused by the entry of new counsel into the case. A July 2008 letter that Elvey sent the Court stated that his concern was to ensure that the interests of the absent class members were adequately protected. In any event, in September 2008, Elvey announced that his new lawyer was Greg Beck, of Public Citizen Litigation Group -- a well-known consumer advocacy group co-founded by Ralph Nader.
Elvey filed a lengthy objection to the proposed settlement. The objection argued that the settlement improperly released Ameritrade from a host of claims, while providing "nothing of value to the class." It faulted the proposed identity theft "claims process," which only gave Ameritrade clients the right to pursue identity theft claims they already had. The four one-week warnings Ameritrade promised to post on its website were "useless and generic" and would warn class members of "nothing." The one free year of credit monitoring "would provide even less than the year of free credit monitoring and 50 free trades that Ameritrade voluntarily gave to clients who complained about the problem." Ultimately, many of the provisions in the proposed settlement simply specified that Ameritrade was required to keep doing things it was already obligated to do and had been doing for some time. Elvey's objection further stated that the "$1.87 million in attorneys' fees . . . given the paltry nature of the class relief, makes counsel the primary beneficiary of the agreement."
Elvey contended that the settlement fundamentally misunderstood the injuries caused by the data breach. The issue of stolen email address and spam was only one aspect of the case. According to Elvey's counsel, the data breach gave hackers "sensitive data of six million Ameritrade clients, including social security numbers, birth data, account numbers, phone numbers, and addresses." This information was sufficient for a criminal to "obtain government issued documents, commit credit card fraud, open bank accounts, obtain credit, purchase and/or steal homes, or even evade arrest by masquerading as someone else."
Elvey's objection also hinted at the new legal direction in which Elvey's legal counsel intended to take the case, noting that "class members appear to have relatively straightforward claims for fraud or false advertising."
In its brief in support of the settlement, Ameritrade argued that its expert on data security, ID Analytics, had found "no instances of identity theft associated with the data breach." The only injuries alleged by the plaintiffs were receipt of spam, increased risk of identity theft and alleged loss of benefit of the bargain. However, Ameritrade claimed that "courts uniformly have dismissed claims for monetary damages and injunctive relief based on these types of alleged injuries." So if the settlement were not approved, it contended that "further litigation would likely not yield any benefits to the class." Ameritrade also claimed that Elvey's objection was really driven by Ameritrade's threatened withdrawal of a prior offer to pay him a $10,000 incentive aware as part of the settlement. (According to Matthew Elvey, Ameritrade threatened to withdraw the $10,000 offer if he didn't agree to the settlement. After he filed his objection, Ameritrade then withdrew the offer. As such, the objection Elvey filed had nothing to do with Ameritrade's withdrawal of the $10,000 offer, since he filed his objection before the offer was withdrawn.)
Judge Walker began his assessment of these arguments by noting that he was obligated to compare the terms of the settlement with the "likely rewards of litigation" (citing Protective Committee for Independent Stockholders of TMT Trailer Ferry Inc. v. Anderson, 390 US 414, 424-25 (1968). The relevant standard for this analysis was not how much money the settlement would cost the defendant, but the benefits of the settlement to the plaintiff class. (citing O'Keefe v. Mercedes-Benz United States, LLC, 214 FRD 266, 304 (MD Pa 2003).
Judge Walker agreed with Elvey that key terms of the settlement seemed to "benefit the company more than the class." The penetration and data breach tests it agreed to perform "should be routine practices" for a firm like Ameritrade. Other terms also provided no real benefits to the plaintiffs. The one-year anti-spam subscription was a prime example of this, because "similar software is available to most internet users for free or very little cost."
He noted that counsel for the plaintiffs had contended that because of the novelty of the plaintiffs' claims, "the likely rewards of litigation appear modest." He also noted that "in deciding to participate in these proceedings, the Texas Attorney General's office cited its concern that "no meaningful relief [was to be provided] to the class members." However, while he admitted that "[t]he court shares this concern," this did not provide a sufficient basis for him to approve the settlement. "From the perspective of the class, the worst-case scenario may be realized if following this denial of final settlement approval the case were to fail on a dispositive motion", he wrote. "But in that event, [the] class would end up essentially in the same situation it would if final settlement approval were approved, with nothing." Accordingly he denied the settlement.
In addition to rejecting the settlement, Judge Walker also indicated what appears to be disapproval of the counsel for the plaintiffs' class. Noting that denial of final approval of the class settlement also abrogated his prior orders in which he had approved the appointment of the counsel for the plaintiff class, he set aside his prior appointment of the plaintiffs' counsel. He then stated that the "selection and activity of class counsel are often critically important to the successful handling of a class action." Noting that a member of the plaintiffs' class had recently proposed appointment of a new attorney to represent the class, he recommended her to the plaintiffs' as substitute class counsel. I don't think I am reading too much into this portion of his ruling to take it as a clear rebuke to plaintiffs' counsel who admit they have little faith in their clients' claims and then arrange for a settlement that gives them $1.87M in fees, while giving their clients nothing.
Where will this case go? Readers of this blog know that Ameritrade does have one major point right: courts have frequently dismissed data breach cases when the plaintiffs have not been able to provide evidence of actual dollar losses from identity theft. Time will tell whether the fraud and breach of contract theories proposed by Elvey's new counsel have any legs.
Some may say that the end result in this case doesn't matter, compared with the importance of policing consumer class action settlements to ensure that they really do provide benefits to consumers.
Note:
After posting the original version of this entry, I received a email from Matthew Elvey offering a few corrections and clarifications. These changes have been reflected where indicated, above.
I do appreciate and respond to comments to my blog entries. Being able to fix things is one of the beautiful things about the internet.
D.J.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
