More than a month after the Credit Union National Association announced its class action lawsuit against Equifax – in the wake of the credit bureau’s massive data breach impacting nearly half of the total U.S. population – state credit union leagues representing more than a dozen states have filed lawsuits, along with a number of individual credit unions.
But with so many consumers involved – estimated at approximately 145 million, which exceeds the total number of U.S. credit union members – the question arises: Why haven’t still more joined the class action suit?
In a statement emailed to Credit Union Journal, CUNA Chief Counsel Susan Parisi said “As with any lawsuit, a potential party must evaluate the pros and cons of joining given their own particular set of circumstances, such as the damages they have experienced, and decide whether or not to participate.”
According to Michael Bell, an attorney specializing in credit union issues with Howard & Howard Attorneys PLLC of Royal Oak, Mich., "Some credit unions could choose to proceed on their own [rather than joining CUNA’s class action suit]. Perhaps they feel they have unique damages and that they will not be properly represented by a class of credit unions. They may desire to go it alone against Equifax."
Such is the case with the Wisconsin Credit Union League, which announced this week that it is also suing the credit bureau; however it will serve as a named plaintiff in a suit initially brought by Summit Credit Union, which is separate from the suit filed by CUNA.
WCUL noted that the suit from Summit CU, a $2.9 billion-asset institution based on Madison, Wis., asked the court to “certify the class action, grant it damages and enjoin Equifax from continuing to pursue its negligent business practices.”
Brett Thompson, president & CEO of WCUL, told Credit Union Journal via email that “Summit is a member of the league and we agreed to be a named plaintiff in that action before CUNA filed its suit. We strongly support both Summit’s and CUNA’s lawsuits against Equifax, and anticipate the actions will be consolidated at a future date.”
Today Summit is a community-chartered credit union, but historically it served CUNA employees. Summit is believed to be the first financial institution of any kind to file suit against Equifax over the breach.
And CUNA isn't the only national trade association sounding off against the credit bureau. The National Association of Federally-Insured Credit Unions has also been vocal in the wake of the breach. NAFCU, like CUNA, has long pressed legislators for stronger national data security standards, and in testimony before Congress last week, NAFCU representatives suggested ways legislators could create a national data security standard to reduce the number of data breaches, as well as minimize their impact.
Similarly, NAFCU VP of Legislative Affairs Brad Thaler has also written a letter to lawmakers suggesting that credit bureaus like Equifax be subject to the same regulatory requirements depository institutions face.
‘All credit unions should benefit’
The Michigan Credit Union League was one of the first leagues to signal its intent to join CUNA's class action suit, and President and COO Ken Ross explained that the nature of class actions are such that “named plaintiffs" are leaders in the lawsuit, while “class” plaintiffs enjoy the benefits of the ultimate settlement without the time and expense incurred by the lead plaintiffs named in the lawsuit.
"It would be impractical and unnecessary to have each of thousands of credit unions nationwide included as named plaintiffs," he said. "Regardless, once a settlement is reached, all credit unions should benefit from the outcome."
J. Scott Sullivan, president and CEO of the Nebraska Credit Union League, noted that before NCUL joined the suit as a named plaintiff, he and other league leaders "weighed several issues."
"Unlike a stolen credit or debit card, this is not an isolated incident," he said. "Wrongdoers now have access to highly sensitive and personally identifiable information allowing them to open new accounts, credit cards, open loans and commit fraud."
In addition, the case will likely take years to resolve, which may ultimately serve as a deterrent to some parties entering into this litigation.
One other potential hurdle is that as more parties sign on for the class action suit, any potential return becomes smaller, since monies will have to be distributed among a larger number of plaintiffs.
But attorney Bell counters that size in this issue is "largely irrelevant" because it is "highly likely" that all the various class action lawsuits will be consolidated by the court system anyway.
Similarly, MCUL’s Ross said if history is any indication, the numerous lawsuits will be eventually "collapsed" into a single case, and this consolidation will take place in a single venue when the class action is certified by a U.S. District Judge.
"Regardless of size, once a settlement is negotiated and ultimately approved by the judge, relief will be provided to affected credit unions," he explained.
The Nebraska League’s Sullivan asserted that the size of the class isn’t what matters in this instance.
"It was about taking affirmative action to hold Equifax accountable for the financial harm caused to our credit unions for their failure to safeguard our credit unions’ members’ highly sensitive and personally identifiable information," he specified. "Equifax’s data security deficiencies were so significant that, even after hackers entered its system, their activities went undetected for at least two months. This blatant disregard for the security of confidential data is unacceptable.
To what end?
Another question the suit raises is the issue of an end goal or what can actually be accomplished?
Although Bell's law firm is not involved in this litigation, he said he assumes that the plaintiffs are seeking to recover damages incurred due to this data breach.
Michael Wishnow, senior vice president-marketing & communications at Pennsylvania Credit Union Association, another plaintiff in the suit, said PCUA had two basic goals in joining the suit: to ensure credit unions are reimbursed for any losses incurred and to emphasize that data breaches are disproportionately caused by third parties such as Equifax, retailers and health insurers, while financial institutions like credit unions are often "saddled" with all the costs.
"All entities need to be held to the same data security standards as banks and credit unions," Wishnow said.
Sullivan declared that the Nebraska league has taken this specific action principally "to stop Equifax from continuing its inadequate security practices and demand enhanced data protection measures in the future."
Beyond that, many have set their sites for victory higher. Jeff Olson, president and CEO of the CU Association of the Dakotas, said the Equifax breach highlights the need for tougher state- and federal-level data-protection and cybersecurity standards.
MCUL’s Ken Ross agreed, noting that CUs are likely to “suffer financial losses as a result of this data breach, which is the latest in a long line of data breaches where credit unions are left holding the bag in a broken system."
According to Ross, the “sheer magnitude” of this breach could be the thing that finally brings about “long-overdue Congressional action on this topic."
"Our member credit unions -- big and small -- are getting hit hard from these data breaches,” Ross added, “and we hope this action spurs public policymakers to take action to remedy the situation and provide equity to community-based institutions.”
Jared M. Ross, senior vice president, association services & governmental affairs at the League of Southeastern Credit Unions & Affiliates, another plaintiff, echoed those hopes.
“If we do not hold merchants and other entities collecting sensitive date accountable, then what is the incentive to protect consumer information?,” he pondered. “We have seen Congress has been slow to bring meaningful change in the area of data security, and we are hopeful that not only will this lawsuit provide credit unions with the relief they deserve, but that it will bring attention to the entire issue of data security.”