A typical corporate data security policy classifies consumer contact information as confidential, but not “highly confidential” or “sensitive.”  Should mere contact information be afforded greater protection?

One case on point has dragged on since late 2007, when Ameritrade reported that a database of its customers’ contact information (including names, physical addresses, email addresses and phone numbers) had been compromised. A class action law suit quickly followed, and the third settlement attempt was rejected just recently by the court on the grounds that, in the judge’s view, it provided an inadequate remedy for the affected consumers.

The rejected settlement would have required Ameritrade to:

  • Post notices on its Web site warning customers about “stock touting spam”
  • Retain independent experts to conduct biannual penetration tests on its systems
  • Seed its email address databases with monitored email addresses for the purpose of detecting data compromises
  • Offer to pay for one year’s worth of a spam or virus filtering service for each of the 6 million customers whose email addresses were compromised
  • Retain an analytics specialist to perform analyses of whether the compromised data has been used to commit identity theft
  • If identity theft is detected, offer class members identity theft remediation services
  • Donate $55,000 to two anti spam projects
  • Pay plaintiffs’ counsel $1.9M in attorney’s fees

Since these settlement terms did not satisfy the judge, the parties will reconvene at a hearing on December 10, 2009.

The Ameritrade case has served as a reminder that companies should not ignore the importance of keeping contact information secure while focusing primarily on more sensitive information such as Social Security Numbers and financial account numbers. However, applicable laws that require companies to protect the security of individuals’ information generally do not apply to mere contact information. For that reason, it is still appropriate to classify contact information as “confidential” as long as your policies provide for reasonable protections for such information. As an example, since customer databases compile all customer contact information into one place, and are an attractive target for hackers, such databases should be afforded greater protection than individual documents that contain just one customer’s name and contact information. Similarly, when disposing of paper files containing customer contact information in mass, it would be a best practice, although not required by U.S. law, to shred such documents upon disposal.