Yes, we know that information security in an interconnected world is not trivial. We accept that configuration errors or malicious insiders or new, complex threats might conspire to provide opportunities for a breach. But who says that it is acceptable that notification and disclosure of a breach be done months or years after the incident?
That’s what appears to have happened with TD Ameritrade this past month. On September 14th, it was reported that TD Ameritrade suffered a breach, in which the names and contact info of all of its customers — over 6 million — was exposed. They have further indicated that no Social Security or financial information was exposed, even though this data was stored in the same database (but probably in a different table) as the name and contact info.
There is now a class action lawsuit pending against them because of the stock-related spams that were spawned from this breach, and the major complaint is that TD Ameritrade was informed about the spam issue as early as October 2006, but initiated no investigations into the matter until at least four months after the lawsuit was filed in May 2007.
Unfortunately, bad news doesn’t get much better with the passage of time. It will be very interesting to see how they are impacted from a brand equity standpoint based on how this lawsuit turns out…