On October 21, 2021, credit unions around the world will celebrate International Credit Union (ICU) Day® recognizing the global credit union movement. ICU Day has been annually celebrated on the third Thursday of October since 1948. This year’s ICU Day theme is “Building financial health for a brighter tomorrow.”™

Credit unions contribute to “building financial health” by providing access to financial services in a member-driven and customer friendly environment. These include credit and debit card services for their members. However, in the wake of payment card data breaches, which have been on the rise in recent years, credit unions face unique challenges navigating the costly fallout that data breaches have on both the credit union and their members.

The costs of mitigating the harm after a data breach can be quite expensive depending on the circumstances. That is why credit unions are leading the charge to recover damages suffered by financial intuitions in data breach cases. Financial institutions, such as credit unions, that issue payment cards often feel the economic impact of this misconduct more than any other group. A recent survey found that the cost of reissuing compromised payment cards ranges from $3 to $25 per card, with smaller financial institutions paying on the higher end of the scale. This can lead credit unions to incur substantial losses in data breaches involving millions of cards nationwide. This does not account for the significant capital and human resources spent on other corrective measures, such as notifying customers that their cards may have been compromised, investigating claims of fraudulent activity, or reimbursing members for fraudulent charges. Credit unions may also lose income from interest and transaction fees as a result of decreased card usage following a data breach.

While it may have been possible to accept these expenses as a “cost of doing business” in the past, the increasing frequency of payment card data breaches has led many credit unions to act by filing lawsuits against retailers and other merchants whose systems were breached. Indeed, credit unions have been instrumental in some of the most important payment card data breach cases of the last decade. These include taking action in the Target, Home Depot, Wendy’s, and Wawa data breach cases. These cases have often resulted in substantial recoveries for credit union class members. Most recently in the Wawa data breach case (In re Wawa, Inc. Data Security Litigation, Case No. 2:19-cv-06019-GEKP (E.D. Pa.)), in June 2020, Partner Christian Levis of Lowey Dannenberg was appointed by the Court as Interim Co-Lead Class Counsel on behalf of a putative class of financial institutions, including credit unions. In May 2021, Lowey Dannenberg successfully defeated Wawa’s motion to dismiss. The case remains pending.

In the spirit of this year’s ICU Day, in order to build financial health for a brighter tomorrow for both themselves and their members, credit unions must be at the forefront of this movement holding bad actors accountable. Credit unions affected by third-party data breaches should not simply write off the cost of remediation as a loss and should consider speaking to counsel experienced in handling these types of cases. As demonstrated by the cases above, credit unions often have claims against the merchant or retailer whose payment card processing systems were compromised. Those claims can be valuable and provide a vehicle for recovering a substantial amount of the costs associated with reissuing cards and reimbursing members. Whenever the next payment card data breach occurs, credit unions should consider pursuing litigation to recoup these costs.

Please contact Christian Levis (clevis@lowey.com), Anthony M. Christina (achristina@lowey.com), or Amanda Fiorilla (afiorilla@lowey.com) with any questions about the Wawa case or representing your credit union in the wake of a future payment card data breach.