In early 2008, DA Davidson & Co (Davidson), a Montana-based investment firm, discovered that a computer hacker illegally obtained access to a database containing personal and financial information of its current and former clients. Shortly thereafter, Davidson notified the affected parties and offered them one year of credit monitoring at its expense. Davidson subsequently extended the free credit monitoring offer from one year to two years.
Despite these initial efforts at remediation, in May of 2009, those affected by the data breach filed a class action lawsuit against Davidson alleging claims of negligence, breach of contract, breach of fiduciary duty, and violations of the Fair Credit Reporting Act and the Montana Consumer Protection Act. On November 12, 2009, the U.S. District Court for the District of Montana approved the settlement of the action, finding that the settlement was fair, reasonable, adequate, and in the best interests of the settlement class. The terms of the settlement included: (1) $185,000 in legal fees to the plaintiffs’ attorneys; (2) a $1,000 incentive award to each representative plaintiff; (3) reimbursement to each settlement class member for any actual and unreimbursed out-of-pocket damages up to $10,000, with aggregate damages liability to all settlement class members limited to $1,000,000; and (4) a deadline of and including June 1, 2011, for the filing of claims.
As of the date of the approved settlement, there were no reported identity thefts resulting from the database breach. The ultimate amounts to be paid by Davidson pursuant to the terms of the settlement are not known. Regardless, this class action lawsuit and settlement demonstrate the critical importance of protecting customer data, monitoring for data breaches, and timely complying with data privacy laws in the event of data breaches.