Credit Unions Face Lawsuits Following Data Breaches: How You Can Prepare

The threat of a data breach always promises a painful and expensive recovery process, whether that process is financial or increased regulatory scrutiny. Now, financial institutions have another potential consequence to worry about: class action lawsuits.

Two recent cyber breaches have members filing class action lawsuits directly against their credit unions over exposed non-public personal information (NPPI) and the delay in notification to them about the breach. Members of the Ventura County Credit Union (VCCU) allege that the credit union failed to implement reasonable data security practices, comply with industry standards, and provide adequate privacy notices, resulting in the compromise of personal information such as full names, social security numbers and financial account information of credit union members and employees.

The credit union became aware of suspicious activity around December 14, 2022, covering a period from October 20 to December 15, 2022, but notification was sent on July 6, 2023, after the completion of a forensic review. HawaiiUSA Federal Credit Union in Honolulu suffered a similar attack in December of 2022 that resulted in more than 20,000 of their members being affected. Notification to affected members was sent in April 2023.

Of note, these lawsuits are not claiming members lost money from their account as result of the breach. In one case, a credit card was opened in the name of the member and for another, fraudulent tax returns were filed. The members did see an increased number of spam calls, texts, and emails, and allege the value of the personally identifiable information has been diminished or lost for them. In both cases, the credit union provided credit monitoring and identity protection services for the affected members at no cost.

In addition to allegations that the credit unions failed to maintain reasonable cybersecurity procedures, the members also questioned why it took so long to notify them of the breach, potentially allowing the data to be used or sold. Although both credit unions launched investigations upon discovering the breach, notification took several months. These lawsuits highlight that consumers will not wait until regulators investigate and impose penalties but will use the courts to obtain damages.

Mitigating Data Breaches

A robust, layered system of preventative and detective cybersecurity controls reduces the likelihood of a successful intrusion and is your primary defense against both breaches and the consequences that may follow them. Critical areas for consideration include:

• Employee training regimens on security awareness, phishing, and data management.
• Network segmentation to prevent privilege escalation after a breach.
• Inventorying and managing the collection, storage, and destruction of NPPI in all forms and locations.
• Effective backup & recovery system in place to recover data from an attack.
• Strong encryption methods to store sensitive customer data in rest and in transit.
• A robust asset management program that includes vulnerability scanning of all systems and well-managed patching, monitoring, and reporting to remediate vulnerabilities in a timely manner.
• Industry-appropriate configuration management standards that ensure all systems and software conform to your security standards and don’t leave weaknesses, such as unnecessary services or deprecated protocols, for attackers to exploit.
• Incident response planning that is up to date with roles and responsibilities in the event of an emergency.
• Testing and auditing information security controls, standards, and procedures.

These are only a few high-level examples of key control areas. Your institution should have a thorough, risk-informed information security management function that defines and oversees these and many other controls. Our Advisory Services team can assist with developing or assessing your program.

Importance of an Incident Response Plan

For most organizations, a computer security incident is a question of “when” not “if.” This is when your preventative controls are less important, and your active detection and response capabilities are crucial.

Incident response plans are used to minimize damage and maintain trust between the organization and the individuals involved. It is critical for a financial institution to be prepared and act diligently when a breach takes place. Below, we break down what institutions should include in their incident response plan, such as:

• An outline of roles and responsibilities for the members involved.
• A detection and analysis procedure to monitor and log suspicious activity.
• Escalation procedures to investigate activity and invoke the plan as necessary.
• Response and recovery playbooks that contain steps to bring the organization back to normal operations.
• Notification procedures for internal personnel, affected individuals, and government and third-party organizations:
  • Consumers should be notified as soon as all the information regarding the incident is collected and established.
  • The longer the consumers are in the dark about the situation, the less prepared the institution appears to be.

Even the best plan can fail in the chaos of an ongoing incident. Once you’ve developed your plan, it’s equally crucial to validate its effectiveness through thorough testing exercises, including both tabletop testing and simulated breach incidents (such as purple team exercises). And ensure it is implemented in a timely manner that provides customers the notification needed to address and monitor any negative activity that could occur with their accounts.

With ever increasing financial threats posed by breaches, it’s more important than ever for institutions to have a strong and well-vetted incident response management program. A preventative cybersecurity program is still important, of course, but it must be supplemented by detection and response capabilities that can mitigate the damage of any incident and avoid claims of negligence in the handling of sensitive data. Wolf’s DenSecure cybersecurity team and our Virtual Privacy Officer can help – reach out today.