On Compliance: Should your credit union be a plaintiff in a data breach class action suit?
Strategic considerations include whether suing puts you at risk if you are later breached and sued.
As data breaches increase in frequency, the much-publicized warning from data-privacy experts worldwide is becoming more true every day: It’s not a matter of if your data will be breached but when. Any entity that has experienced a data breach can tell you that dealing with the fallout can be incredibly costly. Indeed, a data breach can be costly even when it’s someone else’s data that has been breached.
When a large merchant, restaurant operator, or processor sustains a data breach and customers’ card data is stolen, it’s not just the compromised entity that can suffer financially. The financial institutions that issued the cards face economic losses too. Card issuers often incur costs for reimbursement to customers, remediation and associated expenses. These costs can be significant.
In the last few years, a number of credit unions and community banks have found themselves on the plaintiffs’ side of class-action data-breach litigation over the costs resulting from other parties’ data breaches. Several of these cases have resulted in large settlements. In 2015, Target Corp. agreed to pay almost $40 million to a class of banks and credit unions that sued over a 2013 data breach that affected at least 70 million consumers. In 2017, Home Depot agreed to pay $25 million to financial institutions that incurred costs as a result of a 2014 data breach that affected 56 million credit and debit card numbers. And, in February of this year, Wendy’s announced a $50 million settlement with financial institutions over a 2015-2016 data breach that affected 18 million cards.
continue reading »