Certegy Check Services notified millions of Americans last fall that a rogue employee had stolen and sold their personal financial information. Now the St. Petersburg company is preparing to unleash some more bad news: a proposed legal settlement that some critics say will do little to fight identity theft.
The preliminary deal between Certegy and class-action attorneys, currently under review by U.S. District Court Judge Steven D. Merryday in Tampa, would offer partial relief to some of the 8.4-million Americans — including 460,000 Floridians — whose data were methodically stolen over a five-year period. Among the benefits:
• Credit monitoring. Upon request, Certegy would give consumers a free one-year subscription to Experian's Triple Alert, a $4.95-per-month service that monitors credit reports for evidence of fraudulent activity. Eligibility would be limited to the roughly 1.25-million people whose credit card or debit card information was stolen.
• Bank account monitoring. Upon request, Certegy would monitor bank accounts for evidence of fraud over a two-year period. Roughly 4.25-million consumers whose account data were stolen would qualify.
• Identity-theft reimbursement. Certegy would reimburse consumers first-come, first-served for actual losses suffered from identity theft, provided there is proof that the company was responsible. Certegy would set aside a pool of $4-million for such claims.
• Fee reimbursement. Certegy would reimburse consumers who, after learning their financial information had been stolen, had purchased a credit monitoring subscription (up to $180 per person) or replacement checks (up to $40 per person). A total of $1-million would be available first-come, first-served.
• Heightened security. Although Certegy denies responsibility for ex-employee William "Gary" Sullivan, who pleaded guilty to the thefts in November and is scheduled for sentencing Friday, the company said it has taken a number of steps to strengthen internal controls, including scanning staff e-mails and prohibiting the burning of CDs and DVDs.
"It is an excellent (settlement), providing valuable and important benefits for class members," plaintiffs' attorneys wrote in a court filing. But privacy and data-security experts contacted Tuesday disagreed.
Avivah Litan, a Gartner Group vice president who advises companies on how to respond to data breaches, said Certegy appeared to be more interested in saving money than in preventing identity theft and fraud. Credit monitoring services, she said, are "more or less ineffective" but popular with companies in Certegy's predicament because they are "relatively cheap" and function like a "pacifier" for worried consumers.
She also criticized the company for requiring class members to opt in for help — studies suggest few will — and for capping identity-theft reimbursements at $4-million, or less than $1 per person.
"That's where they've totally abdicated their responsibility," she said.
Litan praised Certegy's bank account monitoring as "exactly what is needed," although she said enrollment should be automatic, not optional.
Lillie Coney, associate director of the nonprofit Electronic Privacy Information Center in Washington, D.C., said the settlement "makes you wonder who represented the consumers." She said a more generous package would not only be more fair to consumers but would also create a financial incentive for Certegy to avoid future breaches.
Attempts to reach plaintiffs' attorneys and officials at Fidelity National Information Services, Certegy's Jacksonville parent company, were unsuccessful.
Scott Barancik can be reached at email@example.com or