More than a dozen credit unions, leagues and oth­ers have signed on to the class ac­tion suit over the mas­sive data breach es­ti­mated to have im­pacted 145 mil­lion con­sumers.

Credit Union Journal - - Contents - BY PALASH GHOSH

Well over a dozen credit unions and state leauges have in­di­cated plans to sue Equifax fol­low­ing its mas­sive con­sumer data breach, but ex­actly what the end re­sult will be is still any­one’s guess.

MORE THAN A MONTH AF­TER THE Credit Union Na­tional As­so­ci­a­tion an­nounced its class ac­tion law­suit against Equifax for its mas­sive data breach, state credit union leagues rep­re­sent­ing more than a dozen states have filed law­suits, along with a num­ber of in­di­vid­ual credit unions.

But with so many con­sumers in­volved — es­ti­mated at ap­prox­i­mately 145 mil­lion, which ex­ceeds the to­tal num­ber of U.S. credit union mem­bers — the ques­tion is: Why haven’t still more joined the class ac­tion suit?

Ac­cord­ing to Michael Bell, an at­tor­ney spe­cial­iz­ing in credit union is­sues with Howard & Howard At­tor­neys PLLC of Royal Oak, Mich., “Some credit unions could choose to pro­ceed on their own [rather than join­ing CUNA’S class ac­tion suit]. Per­haps they feel they have unique dam­ages and that they will not be prop­erly rep­re­sented by a class of credit unions. They may de­sire to go it alone against Equifax.”

Such is the case with the Wis­con­sin Credit Union League, which an­nounced this week that it is also su­ing the credit bureau; how­ever it will serve as a named plain­tiff in a suit ini­tially brought by Sum­mit Credit Union, which is sep­a­rate from the suit filed by CUNA. The league noted, how­ever, that it be­lieves the two cases will even­tu­ally be com­bined—a sen­ti­ment shared by Bell, as well as the Michi­gan CU League.

The Na­tional As­so­ci­a­tion of Fed­er­ally-in­sured Credit Unions has also been vo­cal in the wake of the breach. NAFCU, like CUNA, has long pressed leg­is­la­tors for stronger na­tional data se­cu­rity stan­dards, and in tes­ti­mony be­fore Congress last week, NAFCU rep­re­sen­ta­tives sug­gested ways leg­is­la­tors could cre­ate a na­tional data se­cu­rity stan­dard to re­duce the num­ber of data breaches, as well as min­i­mize their im­pact.

The Michi­gan Credit Union League was one of the first leagues to sig­nal its in­tent to join CUNA’S class ac­tion suit, and Pres­i­dent and COO Ken Ross ex­plained that the na­ture of class ac­tions are such that “named plain­tiffs” are lead­ers in the law­suit, while “class” plain­tiffs en­joy the ben­e­fits of the ul­ti­mate set­tle­ment with­out the time and ex­pense in­curred by the lead plain­tiffs named in the law­suit.

“It would be im­prac­ti­cal and un­nec­es­sary to have each of thou­sands of credit unions na­tion­wide in­cluded as named plain­tiffs,” he said. “Re­gard­less, once a set­tle­ment is reached, all credit unions should ben­e­fit from the out­come.”

J. Scott Sul­li­van, pres­i­dent and CEO of the Ne­braska Credit Union League, noted that be­fore NCUL joined the suit as a named plain­tiff, the league “weighed sev­eral is­sues.” “Un­like a stolen credit or debit card, this is not an iso­lated in­ci­dent,” he said. “Wrong­do­ers now have ac­cess to highly sen­si­tive and per­son­ally iden­ti­fi­able in­for­ma­tion al­low­ing them to open new ac­counts, credit cards, open loans and com­mit fraud.”

In ad­di­tion, the case will likely take years to re­solve, which may ul­ti­mately serve as a de­ter­rent to some par­ties en­ter­ing into this lit­i­ga­tion.

One other po­ten­tial hur­dle is that as more par­ties sign on for the class ac­tion suit, any po­ten­tial re­turn be­comes smaller, since monies will have to be dis­trib­uted among a larger num­ber of plain­tiffs.

“Re­gard­less of size, once a set­tle­ment is ne­go­ti­ated and ul­ti­mately ap­proved by the judge, re­lief will be pro­vided to af­fected credit unions,” MCUL’S Ross ex­plained.

The Ne­braska League’s Sul­li­van as­serted that the size of the class isn’t what mat­ters in this in­stance.

“It was about tak­ing af­fir­ma­tive ac­tion to hold Equifax ac­count­able for the fi­nan­cial harm caused to our credit unions for their fail­ure to safe­guard our credit unions’ mem­bers’ highly sen­si­tive and per­son­ally iden­ti­fi­able in­for­ma­tion,” he spec­i­fied. “Equifax’s data se­cu­rity de­fi­cien­cies were so sig­nif­i­cant that, even af­ter hack­ers en­tered its sys­tem, their ac­tiv­i­ties went un­de­tected for at least two months. This bla­tant dis­re­gard for the se­cu­rity of con­fi­den­tial data is un­ac­cept­able.


An­other ques­tion the suit raises is the is­sue of an end goal—is the big is­sue re­coup­ing losses, or the push for stronger laws re­lated to data se­cu­rity?

Michael Wish­now, se­nior vice pres­i­dent-mar­ket­ing and com­mu­ni­ca­tions at Penn­syl­va­nia Credit Union As­so­ci­a­tion, an­other plain­tiff in the suit, said PCUA had two ba­sic goals in join­ing the suit: to en­sure credit unions are re­im­bursed for any losses in­curred and to em­pha­size that data breaches are dis­pro­por­tion­ately caused by third

par­ties such as Equifax, re­tail­ers and health in­sur­ers, while fi­nan­cial in­sti­tu­tions like credit unions are of­ten “sad­dled” with all the costs.

“All en­ti­ties need to be held to the same data se­cu­rity stan­dards as banks and credit unions,” Wish­now said.

Sul­li­van de­clared that the Ne­braska league has taken this spe­cific ac­tion prin­ci­pally “to stop Equifax from con­tin­u­ing its in­ad­e­quate se­cu­rity prac­tices and de­mand en­hanced data pro­tec­tion mea­sures in the fu­ture.”

Be­yond that, many have set their sites for vic­tory higher. Jeff Olson, pres­i­dent and CEO of the CU As­so­ci­a­tion of the Dako­tas, said the Equifax breach highlights the need for tougher state­and fed­eral-level data-pro­tec­tion and cy­ber­se­cu­rity stan­dards.

MCUL’S Ken Ross agreed, not­ing that CUS are likely to “suf­fer fi­nan­cial losses as a re­sult of this data breach, which is the lat­est in a long line of data breaches where credit unions are left hold­ing the bag in a bro­ken sys­tem.”

Ac­cord­ing to Ross, the “sheer mag­ni­tude”

of this breach could be the thing that fi­nally brings about “long-over­due Con­gres­sional ac­tion on this topic.”

“Our mem­ber credit unions — big and small — are get­ting hit hard from these data breaches,” Ross added, “and we hope this ac­tion spurs pub­lic pol­i­cy­mak­ers to take ac­tion to rem­edy the sit­u­a­tion and pro­vide eq­uity to com­mu­nity-based in­sti­tu­tions.”

Jared M. Ross, se­nior vice pres­i­dent, as­so­ci­a­tion ser­vices & gov­ern­men­tal af­fairs at the League of South­east­ern Credit Unions & Af­fil­i­ates,

an­other plain­tiff, echoed those hopes.

“If we do not hold mer­chants and other en­ti­ties col­lect­ing sen­si­tive date ac­count­able, then what is the in­cen­tive to pro­tect con­sumer in­for­ma­tion?,” he pon­dered. “We have seen Congress has been slow to bring mean­ing­ful change in the area of data se­cu­rity, and we are hope­ful that not only will this law­suit pro­vide credit unions with the re­lief they de­serve, but that it will bring at­ten­tion to the en­tire is­sue of data se­cu­rity.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.