On August 18, 2022, SF Fire Credit Union reported a data breach with the Office of the Attorney General of California after the organization experienced a data security incident impacting the sensitive information of certain members. According to the SF Fire Credit Union, the breach resulted in the names, credit card numbers, CVV numbers, card expiration dates, and PIN numbers of certain individuals being compromised. After confirming the breach and identifying all affected parties, SF Fire Credit Union began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the SF Fire Credit Union data breach, please see our recent piece on the topic here.
What We Know About the SF Fire Credit Union Data Breach
The information about the SF Fire Credit Union data breach comes from the company’s official filing with the Attorney General of California. Although the information provided in the letter is sparse, it appears as though the breach occurred on July 2, 2022 through July 6, 2022, as well as on July 30-31 and August 1, 2, 7 and 8. Unfortunately, the company did not provide details about the incident, other than that the breach impacted affected members’ names, credit card numbers, CVV numbers, card expiration dates, and PIN numbers
In response, SF Fire Credit Union has advised all members that were impacted by the breach that the credit union will be canceling their cards and re-issuing new cards with different numbers. In addition, in lieu of offering free credit monitoring, SF Fire Credit Union is providing all affected members with a one-time deposit of $120 to their account, which they can use to pay for credit monitoring if they choose to.
On August 18, 2022, SF Fire Credit Union sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About SF Fire Credit Union
Founded in 1951, SF Fire Credit Union is a credit union based in San Francisco, California. Originally created by firefighters exclusively for firefighters, SF Fire Credit Union now serves anyone who lives, works or goes to school in San Francisco, San Mateo and Marin County. SF Fire Credit Union operates three brick-and-mortar locations throughout San Francisco, as well as two shared branches and several dozen ATM machines throughout the area. SF Fire Credit Union employs more than 272 people and generates approximately $40 million in annual revenue.
Can Consumers Sue a Credit Union That Leaked Their Information?
Yes, under U.S. data breach laws, all organizations, including non-profits, educational institutions, government entities and credit unions, have a duty to protect the sensitive consumer information in their possession. Thus, the fact that an organization is a non-profit entity, such as a credit union, does not prevent data breach victims from pursuing a data breach lawsuit against the organization.
Of course, responsibility for a data breach does not always lie with the organization that leaked consumer information. Generally, before any organization is held liable for a data breach, there must be some evidence that the organization was negligent in how it handled the consumer information that was ultimately leaked. Additionally, data breach victims must prove that the organization’s failures were the cause of their harm. In other words, there was a causal relationship between the organization’s negligence and the data breach victim’s harms—in most cases, this means identity theft or other types of fraud.
Put more simply, to successfully hold any organization financially liable for a data breach, a victim must prove each of the following elements:
The organization owed the victim a duty of care;
The organization breached the duty it owed to the victim;
The organization’s negligence caused or contributed to the victim’s harms (i.e., identity theft); and
The victim suffered economic or non-economic injury as a result.
Importantly, courts have recently held that victims of a data breach do not necessarily need to experience identity theft to pursue a data breach lawsuit. These courts have held that the increased risk of identity theft in the future is sufficient to give the victim legal standing to sue. Thus, victims of a data breach may be able to bring a claim even if they have not yet fallen victim to identity theft or other frauds.
Those who are interested in learning more about protecting their interests and enforcing their rights following a data breach should reach out to an experienced data breach lawyer for assistance.