A proposed settlement by Certegy Check Services, which lost the personal financial information of millions of Americans last fall in an insider-related data breach, of a class-action lawsuit is a "mixed bag" that falls short of protecting the victims, security analysts told SCMagazine US.com.
The tentative settlement between Certegy and class-action lawyers is now under review by U.S. District Court Judge Steven D. Merryday in Tampa, Fla. If accepted, it would offer only partial help to some of the 8.4 million customers whose personal information was stolen by a Certegy employee over a five-year period.
Under terms of the agreement, Certegy would offer credit and bank account monitoring, identity theft reimbursement capped at $4 million, reimbursement of some credit monitoring fees, and enhanced security. The settlement calls for Certegy to give consumers a free one-year subscription to Experian's Triple Alert, a $4.95 monthly service that monitors credit reports for evidence of fraudulent activity. The plan limits those eligible to about 1.25 million consumers whose credit card or debit card information was stolen.
It also calls for Certegy to monitor bank accounts for evidence of fraud over a two-year period. Roughly 4.25- million consumers whose account data were stolen would qualify.
A Certegy ex-employee, William "Gary" Sullivan, who has plead guilty to the thefts in November, admitted to stealing the personal data and selling part of it to a third-party marketing company. He is scheduled for sentencing Friday.
Avivah Litan, a vice president at research firm Gartner, told SCMagazineUS.com there were multiple problems with the tentative plan. Most notably, she took issue with the first-come, first-served $4 million reimbursement limit. That is less than $1 per victim.
"I don't think it's appropriate to cap that," she said. "Just reimburse consumers for any losses incurred or reimburse the consumers' banks."
It is, after all, the banks who pay the consequences if consumers prove someone had unauthorized access to their account. "The bank has to pay the consumer back," she said. With a limit, it's likely the impacted banks will sue Certegy if they incur significant losses, she added.
"That's what happened with TJX -- the banks sued TJX for losses they accrued when they paid consumers back," Litan said.
She called the credit monitoring "more like a pacifier." Credit monitoring helps only when a potential victim's Social Security number is used to open a new credit card account, and Social Security numbers weren't part of the stolen information.
The bank account monitoring proposal "is interesting and actually useful," she added. "But it only monitors checking accounts within the Certegy system, so it's not all-inclusive."
In all, she said the settlement was "a mixed bag, with some good pieces, some irrelevant pieces and some inadequate pieces."
Fidelity National Information Services, Certegy's parent company, did not respond to SCMagazineUS.com's request for comment.