Penetration tests are essentially covert tests with little cooperation from the target. Only full-scope vulnerability assessments come close to reliably finding vulnerabilities. A full vulnerability assessment has the cooperation of the target, and allows for more complete assessment of the environment.
Also, a penetration test is limited in the potential vulnerabilities it can turn up. The testers use their standard methodologies, whereas criminals can use whatever methodology they choose. Criminals can put unlimited time and effort into compromising an organisation, whereas the testers have a limited scope and typically operate under rules of engagement that are irrelevant to criminals.
I hope the judge doesn't let penetration tests become the centerpiece of the eventual settlement. They are something that a company like TD Ameritrade should regularly perform anyway, and they aren't nearly as effective as things like the audits required under the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act.
But what would be proper restitution? For starters, the settlement should do an end run around the limitations of class-action lawsuits. Such lawsuits are basically a transfer of wealth between the defendant and the plaintiffs' attorney, with the actual victims getting little, if anything.
I would suggest that TD Ameritrade provide identity theft protection and response for all clients, no questions asked. TD Ameritrade might balk at the potential expense, but the truth is that few people would actually take advantage of such an offer, because it's too much of a hassle or because they already are well protected on their own. But at least those who were truly vulnerable would be compensated in some meaningful way.
Additionally, TD Ameritrade should undertake vulnerability assessments at least every six months, with mini-assessments/penetration tests performed every three months. It should also be required to implement vulnerability management tools and services, along with systems that detect potential compromises.
We'll see just how information security-savvy Judge Wilson is when this case is finally settled.
Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his website, irawinkler.com