CUNA Mutual Group and 163 of its credit union policyholders filed suit against BJ's Wholesale Club and its acquiring institution, Fifth Third Bank, to recover losses from the hacking incident at the Boston-area retailer.
Those losses resulted from the highly publicized, March 2004 security breach of more than 40,000 credit and debit card numbers and related customer information from BJ's-information that CUNA Mutual says BJ's never should have had on its system in the first place.
"A key part of this suit is that all of us-CUNA Mutual Group, credit unions and other card-issuing institutions-relied upon the retailer's compliance with the credit card associations' established rules and regulations prohibiting the collection and retention of full magnetic stripe information at the point of service," said Marc Krasnick, CUNA Mutual's senior VP-credit union protection. "They were in direct violation of the association's rules and regulations."
CUNA Mutual said the security breach begs the question: what are the associations doing about this? "The card associations establish these rules and regulations and have an obligation to enforce those rules and regulations," Krasnick noted. "Visa can impose fines and penalties [on BJ's or other point of service retailers that violate the rules], and they claim they have begun to do this. Visa said it convened a meeting of the 30 largest software providers of POS technology to inform them of this situation."
Is that enough?
"What we're wondering is where's the urgency? We've not heard about drop-dead dates [for compliance], we haven't heard of any changes that have actually been made to the software," Krasnick related.
Although neither of the card associations is named in CUNA Mutual's suit, Kresnick said they could be named later as the discovery process advances.
While the suit has been filed to help recover losses that CUNA Mutual's CUMIS bondholders have suffered, another goal is to call more attention to similar compliance breaches at other retailers that are in direct violation of the rules against capturing and storing full magnetic stripe data at POS, Krasnick said.
"The scary part of this situation is that on a regular basis credit unions and other card-issuing institutions get alerts of additional card number breaches similar to what happened at BJ's," he commented. "Many retailers are using software that is out of compliance and putting consumers' credit card data on the line."
And it's not just the dollar losses that are of concern to credit unions-it's the hit CUs are taking to their reputations, as well.
"These losses occurred through no fault of the credit unions," Krasnick emphasized. "The credit unions did nothing wrong. They relied on the retailers to comply with the rules and regulations that are in place to protect the safety of this data.
"But it's the credit unions who have to deal with their members when something like this happens. The member associates this with the credit union. The credit union has to inform members when their information may have been compromised, and even though credit unions tell members it's not because of anything the credit union did, what the members remember is that it was the credit union who issued them the card, and it was the credit union that informed them of the problem. Credit unions are blameless in this, but so long as this situation continues, their reputations are taking a hit."
CUNA Mutual is spearheading the lawsuit as a "value-added benefit" to its policyholders because the CUs couldn't afford what will probably be an expensive and protracted legal battle without help.
To date, 163 credit unions have signed on to the lawsuit, but at press time, another 10 had already expressed a desire to be included in the suit, and CUNA Mutual expects others will also get on board in the near future.