Saturday, May 03, 2008

Does the proposed class action settlement in the Certegy data breach case lack teeth?

I happened to notice, I was getting a lot of hits on some posts about the Certegy data breach and discovered that there is a proposed settlement in the class action law suit against them.

Tim Wilson at Dark Reading pointed out that this settlement amounts to Certegy paying less than $1 per victim and wrote:

Certegy Check Services is proposing to settle a class action lawsuit of last year's security breach on behalf of 8.4 million victims for about $4 million.

According to a report in the St. Petersburg (Fla.) Times, Certegy will also offer free credit monitoring services to some victims and reimbursement of credit monitoring expenses totaling $1 million on a first-come-first-served basis.
He also surmised in his article that:

While plaintiffs' lawyers hailed the offer as a victory, critics said the relatively small settlement will not help the cause of identity protection. The massive TJX breach also resulted in a relatively small settlement for the victims, netting about $6.5 million for customers.

Of note, I would imagine the plantiff's lawyers made A LOT more than $1 each for orchestrating this event. In all fairness, given the precedent set by similar actions might mean there isn't a very "deep pocket" on this type of action.

At $1 million for monitoring divided by 8.4 million potential victims, if any of them want the free monitoring, they better move quickly.

So far as the $4 million being set aside to make victims whole, I wonder how hard it is going to be for them to prove (as required by this settlement) that Certegy was the point-of-compromise in their case? The general rule of thumb is that identity thieves, even if they are caught (rare), probably aren't 100 percent sure where the information came from themselves. There is so much stolen information out there, it's being traded over the Internet.

The sad truth is that with all the data breaches out there, it might be hard to prove exactly where an identity theft victim's information was compromised.

So far as the criminal prosecution of the employee, one William Sullivan, who sold off 8.5 million people's records, I did a post in November about how he was able to make a plea bargain and get a reduced sentence in this case. There was a mention of a data broker being a co-conspirator, but they never seemed to be named (at least in public).

Personally, I've always had mixed feelings about law suits that result when data breaches occur. There is an argument that at least some (my opinion) of the organizations being breached are victims in the overall equation, also.

Saying that, if this class action and the one for TJX have set the legal precedent on this type of action, they are unlikely to serve as much of a deterrent against data breaches, or all the identity theft that results from them. Furthermore, the criminal prosecution of William Sullivan in his case is unlikely to be much of a deterrent, either.

In fact these results are probably going to do little to inspire organizations to protect their information better and for some, will probably be viewed as a cost of doing business.

I guess it's time to go back to the drawing board to figure out a way to effectively address information/identity theft and data breaches?

Here are the original posts, I did on this matter, which contain some angry commentary from more than one victim:

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Certegy reveals their data breach is a lot larger than originally reported

Class action law suit filed against Certegy for data breach

2 comments:

Unknown said...

How's this for irony: the website to opt-in for eligibility for bank monitoring and reimbursement for identity theft for the Certegy settlement does not have a valid security certificate??? I hope people are aware of that before they go putting their info in on that site.

Anonymous said...

I'd be very wary about giving them bank account #'s, driver's license #'s, etc. If you weren't an identity theft victim before, you might be now.