MADISON, Wis.–Cyber-related litigation targeting credit unions, even in cases where a breach hasn’t occurred, requires CU leaders be aware of how they can be at risk, including from violations of the law in states that can be far away from the CU itself, according to one person.
In remarks shared during TruStage’s Discovery 2025 virtual event, Andrea McKay, claims manager with Beazley Insurance Services, which provides cyber insurance to many credit unions, cautioned that “pixel litigation” is something every CU must understand.
Pixel litigation refers to lawsuits filed against organizations for allegedly violating privacy laws through the use of tracking pixels on their websites. The lawsuits are related to site functionality that can track user activity and share data with third parties.
After initially targeting hospitals, “Plaintiffs’ attorneys were able to get some very large settlements out of that litigation and now this year they have decided that financial institutions is the new space they are going to target,” McKay said. “Luckily, we believe we have much better defenses in this space…Most (credit union) websites have pixels on them, but the information they’re collecting is not going to be as sensitive…But that’s not stopping these plaintiffs attorneys from filing them.
‘A Couple of Big Ones’
“Unfortunately, right now we have a couple big ones in the credit union space…for having pixels on their websites and for collecting information that, by the way, was not super-sensitive information.”
The information captured included what page a visitor was looking at, and whether they looked at the site for a loan or credit card, for example.
Credit unions in many of these lawsuits have found themselves targeted for violations of an old wiretapping law on California’s books that has been repurposed for lawsuits today.
McKay said it’s critical a CU knows the information it is tracking, and the unawareness of what CU sites capture has left many credit unions caught off-guard.
Is This Necessary?
“Is it necessary to be collecting all the pieces of information you’re collecting? If not, then stop. If you’re going to continue, then you need to have a banner on your website that fully discloses what you are collecting,” she said. “A lot of these allegations are violations of privacy policy. You want to make sure your privacy policy is really spelling out what you are collecting on your website.”
Data Breach Class Actions
Numerous credit unions have been hit with class action lawsuits following data breaches, and there has been a trend toward smaller classes, said McKay. She theorized the reason is some attorneys saw other attorneys winning big settlements, and they began looking for any group of plaintiffs that might have a claim.
“The thing is, even if it’s a small class they’re very expensive to defend,” said McKay. “I guess that’s the good news is now we are finding ways to resolve them in creative ways…for a fraction of the cost.”
She encouraged every credit union to make sure it has very good counsel in place prior to any lawsuit.
