MONTGOMERY, Ala. — Alabama State Employees Credit Union has filed what appears to be the first class action lawsuit by a financial services company against Target Corp. over costs from the massive card security data breach.
The suit, filed last week in an Alabama federal court, seeks compensation for financial losses resulting from defrauded deposits of financial institution members and customers, as well as costs associated with closing accounts, reissuing new checks, debit cards and credit cards as a result of Target's data breach.
"Credit unions will stand in the shoes of all the financial institutions that have incurred losses," Wilson Daniel Miles III, an attorney at Beasley Allen Crown Methvin Portis & Miles PC, the Montgomery, Ala.-based law firm that is representing ASECU in the case, told Credit Union Journal. "We will clean up the mess that Target caused."
This is the second class action filed by the law firm against the Minneapolis retail giant over the data breach that began in late November and continued through at least Dec. 15. It is estimated that more than 40 million accounts were compromised.
The firm also filed the first consumer class action suit Dec. 20 on behalf of customers whose credit and debit card information was compromised at Target stores.
Under Alabama law, $212 million-asset ASECU must initially ask for a minimum of $5 million in damages, but Miles expects the final figure to be in the "hundreds of millions of dollars" after other financial services firms, including some banks, join the class action.
The huge retailer faces even more lawsuits filed by consumers seeking class-action status for their suits in state and federal courts from the company's home state of Minnesota to California and New York.
Most accuse Target of failing to protect their private information.
A Not So Merry Christmas
Executives at Pennsylvania State Employees CU in Harrisburg say they have not had a chance to discuss any potential legal actions to take. "But with nearly 30,000 cards to be reissued, we will certainly have costs," said Greg Smith, CEO of the $4.2 billion credit union.
On the other side of the nation, Scott Ingram, a spokesman for Golden 1 CU, said the $8.2 billion Sacramento, Calif., institution will spend between $300,000 to $350,000 to replace 67,000 member cards affected by the breach.
That figure includes production and mailing expenses. Members have been notified via e-mail and letters that Golden 1 is replacing their cards.
In Idaho Falls, East Idaho Credit Union said cost was not a concern, and protecting members' accounts and helping them understand what was happening was the only objective when it shut down hundreds of debit cards Dec. 19.
CEO Brad Bauges said the $260 million credit union decided to block and reissue the cards after it dug into its transaction data.
"We noticed that quite a few members used their cards at Target during the breach period," said Bauges. "Then we started seeing quite a bit of fraud coming in, and due to the severity of the breach, we decided it was best to block those cards."
But Henry Wirz, CEO of the $2 billion SAFE CU in North Highlands, Calif., reminds that if the credit union blocks and reissues cards too frequently, it will seriously disrupt member service and damage member confidence.
"Members experience a great deal of inconvenience when cards are reissued," Wirz wrote in an e-mail to Credit Union Journal. "Their card account number is tied to automatic payments or is set up with online merchants. The change in account numbers affects many relationships. A local credit union just reported they are reissuing cards to protect members. Really? Card reissues are primarily to protect the credit union from fraud losses."
Wirz contends that if credit unions are "serious" about protecting their members and their debit and credit card business, they should be "laser focused" on driving legislation that will hold merchants accountable for a specified level of internal controls to protect card data.
"Merchants and processors are the cause of most breaches," said Wirz. "They are the weakest link in the chain of custody for member data in electronic transactions. If we don't [write Congressional representatives to demand legislation] then we are not protecting our members."
CUs More Responsive Than Banks
Meanwhile, it appears CUs have been more responsive than banks when it comes to issuing new cards, according to two recent online surveys.
In an online poll conducted by Credit Union Journal Christmas week, nearly 70% of respondents said their institutions were reissuing new cards because that's the best way to protect affected accounts from fraud. In a similar online poll conducted by American Banker, about half (48%) of respondents said the same.
Some 28% said their credit unions had not yet reissued cards to members affected by the breach, and would issue new cards only if they detect suspicious account activity in the account compared with 42% of American Banker respondents.
At Family Focus FCU in Omaha, Neb., the decision to block and reissue came just days before Christmas. CEO Amy Brodersen helped members learn how to use its new CO-OP NextGen ATM outside the $29 million-asset credit union.
Brodersen said Family Focus regretted having to block 150 debit cards late Friday night, Dec. 20, to protect members' accounts. But FFFCU called all 150 to let them know they could still use their blocked debit card at the ATM outside the credit union.
The high-tech ATM offers shared branching functionality and allows members to perform many of the functions they can with a teller. While the blocked debit cards won't work with the machine's ATM functionality, they still serve as identification, giving members access to shared branching transactions.
"Now members whose cards have been cancelled can take out money just like they would if they walked into the credit union, and they can do it 24/7," Brodersen said. She added that the instruction provided to members over the phone and in person explained how to easily sign up for shared branching at the ATM and use that functionality.
The Target breach has members of Pennsylvania State Employees CU viewing the credit union's Facebook page in record numbers, according to CEO Smith.
Social Media Comes In Handy
PSECU reached out to its membership via Facebook and e-mail messages to let them know that it had moved swiftly to protect their accounts in the wake of the data compromise. When PSECU learned that more than 28,000 of its cards were potentially involved, it began the process of reissuing debit and credit cards, but was concerned with the Christmas holiday only days away that it would be difficult to get the message out to its members.
Smith said the solution was to go to electronic delivery channels. PSECU has few branches and uses remote delivery channels to provide service to its 400,000 members. As a result, the CU has most of its members' e-mail addresses. An e-mail was sent to almost 21,000 members and a message was posted on the credit union's Facebook page.
The response of the membership was quick and positive. By Dec. 26, the Facebook post received 191 likes, 52 shares, and 60 comments. It also had a total reach of over 5,300 views, one of the highest since PSECU joined social media.
