CU IN COURT
More than a dozen credit unions, leagues and others have signed on to the class action suit over the massive data breach estimated to have impacted 145 million consumers.
Well over a dozen credit unions and state leauges have indicated plans to sue Equifax following its massive consumer data breach, but exactly what the end result will be is still anyone’s guess.
MORE THAN A MONTH AFTER THE Credit Union National Association announced its class action lawsuit against Equifax for its massive data breach, state credit union leagues representing more than a dozen states have filed lawsuits, along with a number of individual credit unions.
But with so many consumers involved — estimated at approximately 145 million, which exceeds the total number of U.S. credit union members — the question is: Why haven’t still more joined the class action suit?
According to Michael Bell, an attorney specializing in credit union issues with Howard & Howard Attorneys PLLC of Royal Oak, Mich., “Some credit unions could choose to proceed on their own [rather than joining CUNA’S class action suit]. Perhaps they feel they have unique damages and that they will not be properly represented by a class of credit unions. They may desire to go it alone against Equifax.”
Such is the case with the Wisconsin Credit Union League, which announced this week that it is also suing the credit bureau; however it will serve as a named plaintiff in a suit initially brought by Summit Credit Union, which is separate from the suit filed by CUNA. The league noted, however, that it believes the two cases will eventually be combined—a sentiment shared by Bell, as well as the Michigan CU League.
The National Association of Federally-insured Credit Unions has also been vocal in the wake of the breach. NAFCU, like CUNA, has long pressed legislators for stronger national data security standards, and in testimony before Congress last week, NAFCU representatives suggested ways legislators could create a national data security standard to reduce the number of data breaches, as well as minimize their impact.
The Michigan Credit Union League was one of the first leagues to signal its intent to join CUNA’S class action suit, and President and COO Ken Ross explained that the nature of class actions are such that “named plaintiffs” are leaders in the lawsuit, while “class” plaintiffs enjoy the benefits of the ultimate settlement without the time and expense incurred by the lead plaintiffs named in the lawsuit.
“It would be impractical and unnecessary to have each of thousands of credit unions nationwide included as named plaintiffs,” he said. “Regardless, once a settlement is reached, all credit unions should benefit from the outcome.”
J. Scott Sullivan, president and CEO of the Nebraska Credit Union League, noted that before NCUL joined the suit as a named plaintiff, the league “weighed several issues.” “Unlike a stolen credit or debit card, this is not an isolated incident,” he said. “Wrongdoers now have access to highly sensitive and personally identifiable information allowing them to open new accounts, credit cards, open loans and commit fraud.”
In addition, the case will likely take years to resolve, which may ultimately serve as a deterrent to some parties entering into this litigation.
One other potential hurdle is that as more parties sign on for the class action suit, any potential return becomes smaller, since monies will have to be distributed among a larger number of plaintiffs.
“Regardless of size, once a settlement is negotiated and ultimately approved by the judge, relief will be provided to affected credit unions,” MCUL’S Ross explained.
The Nebraska League’s Sullivan asserted that the size of the class isn’t what matters in this instance.
“It was about taking affirmative action to hold Equifax accountable for the financial harm caused to our credit unions for their failure to safeguard our credit unions’ members’ highly sensitive and personally identifiable information,” he specified. “Equifax’s data security deficiencies were so significant that, even after hackers entered its system, their activities went undetected for at least two months. This blatant disregard for the security of confidential data is unacceptable.
TO WHAT END?
Another question the suit raises is the issue of an end goal—is the big issue recouping losses, or the push for stronger laws related to data security?
Michael Wishnow, senior vice president-marketing and communications at Pennsylvania Credit Union Association, another plaintiff in the suit, said PCUA had two basic goals in joining the suit: to ensure credit unions are reimbursed for any losses incurred and to emphasize that data breaches are disproportionately caused by third
parties such as Equifax, retailers and health insurers, while financial institutions like credit unions are often “saddled” with all the costs.
“All entities need to be held to the same data security standards as banks and credit unions,” Wishnow said.
Sullivan declared that the Nebraska league has taken this specific action principally “to stop Equifax from continuing its inadequate security practices and demand enhanced data protection measures in the future.”
Beyond that, many have set their sites for victory higher. Jeff Olson, president and CEO of the CU Association of the Dakotas, said the Equifax breach highlights the need for tougher stateand federal-level data-protection and cybersecurity standards.
MCUL’S Ken Ross agreed, noting that CUS are likely to “suffer financial losses as a result of this data breach, which is the latest in a long line of data breaches where credit unions are left holding the bag in a broken system.”
According to Ross, the “sheer magnitude”
of this breach could be the thing that finally brings about “long-overdue Congressional action on this topic.”
“Our member credit unions — big and small — are getting hit hard from these data breaches,” Ross added, “and we hope this action spurs public policymakers to take action to remedy the situation and provide equity to community-based institutions.”
Jared M. Ross, senior vice president, association services & governmental affairs at the League of Southeastern Credit Unions & Affiliates,
another plaintiff, echoed those hopes.
“If we do not hold merchants and other entities collecting sensitive date accountable, then what is the incentive to protect consumer information?,” he pondered. “We have seen Congress has been slow to bring meaningful change in the area of data security, and we are hopeful that not only will this lawsuit provide credit unions with the relief they deserve, but that it will bring attention to the entire issue of data security.”