Now that a Minnesota judge has given class action status to a lawsuit by five financial institutions against Target over its 2013 data breach, many in the credit union industry are eagerly looking forward to the proceedings and new regulations they could advance.
Clark Yelverton, who is president/CEO of the $288 million, Lake Charles, La.-based CSE Federal Credit Union, was especially pleased with the decision. His credit union is one of five financial institutions – and the only credit union – that asked for an injunction in April after Target offered $19 million to settle breach claims with MasterCard issuers.
"As one of the many credit unions that suffered substantial losses as a result of Target's failure to adequately protect its sensitive payment data, we were frustrated, particularly as the data breach took place during the busiest shopping season of the year," Yelverton said after the decision. "We were forced to spend thousands of dollars to reissue hundreds of cards and to reimburse members for fraudulent transactions. Additionally, we had to address member confusion and complaints, and change or cancel accounts. Even though financial institutions are held to extremely high standards of securing member information, we were ultimately the ones that had to incur the costs of one of the largest data breaches in U.S. history."
Yelverton said that after the court certified the class, many more credit unions and banks expressed support for the litigation. NAFCU and CUNA also voiced their support.
"We knew litigation would be our best avenue for recovery, and other financial institutions certainly shared that sentiment," Yelverton noted.
Credit unions incurred at least $30 million in card reissuance costs related to the Target breach, according to CUNA President/CEO Jim Nussle. Nussle said he is encouraged by the decision and hopes it will result in financial recovery for affected credit unions.
The Independent Community Bankers of America, which also applauded the decision, said community banks had to reissue more than 11.5 million debit and credit cards and incurred more than $130 million in reissuance costs due to the breach.
"U.S. District Judge Paul Magnuson was right to grant class action status to the Target case," it said in a statement.
The Wisconsin Credit Union League, which is also active in the class action suit against Home Depot for its data breach, said after the decision that Wisconsin credit unions incurred more than $600,000 in costs related to the Target breach.
"Our industry is striving to stop the data breaches because credit union members see fewer financial benefits returned to them for every dollar credit unions must direct to such losses," it noted.
In an email to credit union leaders after the decision, Michigan Credit Union League President/CEO David Adams also expressed support for the ruling and laid out the road ahead.
"When Congress returns in January, MCUL will aggressively communicate this position to the Michigan congressional delegation," Adams said. "MCUL will also support congressional action that would hold all retailers financially liable for such future data breaches. The league will work with CUNA to seek these judicial and legislative remedies."
Indeed, aside from proceeding with the suit, the next task appears to be lobbying for legislation aimed at regulating retailers.
"This lawsuit is only one part of the equation," NAFCU Senior Vice President of Government Affairs and General Counsel Carrie Hunt said after the ruling. "To prevent these types of data breaches in the future, Congress must act to protect consumers' financial information by enacting national data security standards for retailers and holding them directly accountable for their data breaches."
In January, Michigan credit unions should expect to see a survey intended to collect data and information to support legislative action, according to the Michigan Credit Union League. In addition, the Wisconsin Credit Union League is conducting a letter writing campaign urging support for H.R. 2205 and S. 961, bills that have both been dubbed the Data Security Act of 2015. That league has a goal of 800 contacts, it said.
Clark Yelverton probably isn't taking his eye off the lawsuit ball anytime soon, however. Discovery in the case is in motion, and if it goes to trial, he'll likely have a big court date around this time next year.
As many as 9,000 credit unions and other financial institutions may be eligible to join the suit, according to one of the attorneys on the case.
"What will make this all worthwhile will be knowing that we finally sent a message that card issuers should not have to bear the burden of paying the substantial costs for these breaches, and that it is time for Congress to establish rules and measures to hold retailers accountable," Yelverton said.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
