It is far too early for financial institutions to tally all the costs of the Equifax data breach. But one Wisconsin credit union is already taking the embattled company to court.
Summit Credit Union, which is based in Madison and has 34 locations around the state, is believed to be the first U.S. financial institution to sue over the massive security failure. The lawsuit seeks unspecified damages for a range of anticipated costs resulting from the breach.
The credit union’s lawyer, Stacey Slaughter of the law firm Robins Kaplan, said there has never been a cybersecurity incident of a similar nature and magnitude as the Equifax breach.
“I think that we haven’t encountered anything like this before,” she said in an interview. “And I think it really made us look at this breach in a different way than we’ve looked at other breach cases.”
The lawsuit, which has not previously been reported, is seeking class-action status. It is part of an avalanche of litigation — mostly filed by consumers — that has emerged in the two weeks since the breach was disclosed.
The Summit case is unlikely to be the last case brought against Equifax by banks and credit unions.
Bryan Gudmundson, a partner at Zimmerman Reed in Minneapolis, said Thursday that his firm is representing an unnamed financial institution and plans to file another suit soon.
He expressed outrage over the Equifax breach, which affects an estimated 143 million Americans. “We’re talking about a company whose only business is sensitive data,” he said.
Gudmundson previously represented banks and credit unions in lawsuits that were filed after data breaches at the retailers Target and Home Depot. Those incidents involved stolen payment card information. The Equifax breach has wider implications because the compromised data can be used to hijack consumers’ identities and set up fraudulent new accounts in their names.
“We’re being very deliberate in terms of investigating this,” Gudmundson said. “We’ve talked to all sorts of institutions, and they’ve raised all sorts of different concerns.”
Banks and credit unions have a symbiotic relationship with Equifax. Not only do they send information about their own borrowers’ payment histories to the Atlanta-based firm, they also buy reports from Equifax that include aggregated data from multiple financial institutions, which they rely on as they make loan decisions.
Summit Credit Union, which has $2.6 billion of assets, alleges that Equifax’s negligence will harm it in myriad ways.
Its lawsuit notes that financial institutions bear the costs of canceling and reissuing compromised credit cards. More than 200,000 credit card numbers were stolen from Equifax.
Banks and credit unions are also responsible for the cost of fraudulent payments made in their customers’ names.
In response to the Equifax hack, financial institutions will bear additional costs for monitoring, preventing and responding to fraud, and for complying with regulations, according to the lawsuit.
“Financial institutions are also concerned about the chilling effect this breach may have on future lending,” the lawsuit continues, “as customers deal with the impact of the breach on their finances and credit, as well as on their emotional well-being.”
Executives at the credit union did not respond to requests for comment. Likewise, an Equifax spokeswoman did not respond prior to deadline.
On its website, Summit Credit Union has posted a customer notification about the Equifax breach. It notes that names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers were compromised.
“This is a breach of Equifax, not Summit,” the site states. “Rest assured, we take safeguarding your information very seriously and are actively monitoring this situation.”
Banks and credit unions are likely weighing a lot of different considerations as they decide how to respond to the Equifax breach.
“I wonder whether the breach will affect the willingness of financial institutions to give Equifax the information which it needs to function,” Jeff Sovern, a law professor at St. John’s University, said in an email.
“After all, financial institutions now have a reason to believe that information may not be secure,” Sovern continued. “If some financial institutions stop providing Equifax data, that may make Equifax’s product less valuable to other lenders, which could also affect their willingness to be an Equifax customer. So financial institutions can damage Equifax even without suing.”