The Non-Financial Ledger
There is a specific kind of violation that happens when the most private facts about your life are taken from you without your knowledge. Not money. Not property. Your identity.
Think about what was in that breach. Your Social Security number — the number that, once exposed, can be used to open credit cards, take out loans, file fraudulent tax returns, and claim government benefits in your name for years. Your passport number. Your driver’s license number. Your bank account and routing numbers — the keys to your actual money. Your payment card numbers. Your taxpayer ID. And, for at least some of the 34,866 people affected, something even more intimate: health insurance information and biometric data.
Biometric data is not a password you can change. It is your fingerprint. Your face. Your voice pattern. When that is gone, it is gone. There is no “reset biometrics” button. The people whose biometric data was exposed by LA Financial’s breach carry that exposure for the rest of their lives.
And then they waited three months to hear about it. The breach happened on or about June 10, 2024. LA Financial did not send notices to affected customers until September 11, 2024. Three months is long enough for someone who has your Social Security number and bank account details to do serious, lasting damage. Fraudulent accounts get opened. Tax refunds get stolen. Credit scores get wrecked. Those problems do not resolve themselves after the notice letter arrives.
The credit union is a financial institution. These are people who trusted LA Financial with their money and their most sensitive personal records. The relationship between a member and their credit union is built on an expectation of care. That expectation was broken.
The settlement offers these 34,866 people the chance to file a claim for losses they can document. For most people, the paperwork burden alone — collecting statements, writing sworn attestations, proving which expenses were “fairly traceable” to the breach — will cost more in time than the payment is worth. People with full-time jobs and families don’t have the bandwidth to run a small claims audit on their own behalf. The settlement is structured in a way that makes it easy to do nothing, and hard to get what you actually lost.
The $50 “alternative cash payment” for people who can’t or won’t document their losses is the settlement’s answer to that reality. Fifty dollars is one tank of gas. It is four days of lunch. It is not compensation for having your passport number, your bank account, and your fingerprints loose in the world.
Straight From the Document
Every claim in this investigation comes from the settlement agreement itself. Here is the language that matters most.
“The types of Private Information that were allegedly impacted include first and last names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, state identification numbers, account numbers, payment card numbers, routing numbers, taxpayer identification numbers, and reportedly health insurance information and biometric data.”
- This is the full scope of what was exposed. The word “reportedly” before “health insurance information and biometric data” signals that those two categories were not fully confirmed at the time of settlement, but were serious enough to include in the agreement’s definition of Private Information.
- Ten distinct categories of sensitive data are listed. The combination of Social Security numbers, bank account numbers, routing numbers, and payment card numbers together gives a bad actor everything needed to drain accounts and commit financial fraud.
- Biometric data and health insurance information sitting alongside financial identifiers makes this one of the broadest data exposure profiles possible for a single breach event.
“LA Financial specifically denies any and all wrongdoing. The existence of, terms in, and any action taken under or in connection with this Agreement shall not constitute, be construed as, or be admissible in evidence as, any admission by LA Financial of (i) the validity of any claim, defense, or fact asserted in the Action or any other pending or future action, or (ii) any wrongdoing, fault, violation of law, or liability of any kind on the part of the Parties.”
- LA Financial is paying $725,000 to make this case go away while legally preserving its ability to say, in any future context, that it did nothing wrong. This language is standard in class action settlements but its effect is real: 34,866 people get no acknowledgment that they were failed.
- The settlement cannot be cited in any future lawsuit against LA Financial as evidence of prior negligence. Each future plaintiff starts from zero.
- The credit union gets what amounts to a liability firewall: it pays, and the record is clean.
“Class Counsel will file a motion seeking an award of attorney fees of up to one-third of the Settlement Fund (i.e., $241,666.66) and reasonable costs and expenses no later than fourteen (14) days prior to the Objection Deadline.”
- Up to $241,666.66 of the $725,000 fund is earmarked for attorneys before a single class member receives a dollar. That leaves at most $483,333.34 for 34,866 people — or roughly $13.86 per person before administrative costs and service awards are also subtracted.
- Three separate plaintiffs’ law firms share that fee: Strauss Borrelli PLLC, Milberg Coleman Bryson Phillips Grossman, PLLC, and EKSM, LLP.
- The settlement is explicitly not conditioned on fee approval, meaning it cannot be unwound simply because a court reduces the attorneys’ cut.
“LA Financial has enhanced its cyber security software, data and privacy protocols, and technology-related security measures. These enhancements provide meaningful benefits to all Class Members, regardless of whether they submit a claim and LA Financial estimates they have cost $125,000.00. The Parties agree that this valuation is separate from and in addition to the amount of the Settlement Fund.”
- LA Financial is presenting its own cost of fixing its own security failures as an additional benefit to the class. The $125,000 in security upgrades is money the company spent on itself — hardening systems that should have been secure before the breach.
- By framing it as “separate from and in addition to” the settlement fund, the parties are inflating the perceived value of the settlement from $725,000 to $850,000. That framing will appear in court filings arguing the settlement is fair and reasonable.
- Class members receive no money from the $125,000. It is a corporate expense being positioned as consumer benefit.
“To the extent any monies remain in the Net Settlement Fund more than 120 days after the distribution of all payments… a subsequent Settlement Payment will be evenly distributed to all Settlement Class Members with Approved Claims… provided that the average check amount is equal to or greater than three dollars ($3.00).”
- Any residual funds that cannot be distributed at a minimum average of $3.00 per person go to a third-party nonprofit — the Identity Theft Resource Center — rather than back to the people whose data was stolen. The harmed individuals do not receive those dollars.
- Cy pres distributions are a common mechanism in class action settlements and courts have approved them for decades, but they mean that unclaimed or undistributed money leaves the class entirely.
- Low claim rates — which are typical in data breach settlements because many affected people never see the notice or don’t bother filing — can push a larger share of the fund toward cy pres and away from individual payments.
Who Gets Hurt and How
Public Health of Personal Data
A data breach involving this combination of identifiers does not create a single moment of harm — it creates ongoing, compounding exposure for years. Here is what the affected population faces:
- Social Security numbers, once exposed, are traded, sold, and reused across criminal networks indefinitely. The 34,866 people affected cannot “un-expose” theirs. The harm is permanent.
- Biometric data — which the settlement agreement explicitly includes as “reportedly” compromised — cannot be reset or replaced. Any person whose fingerprints, facial geometry, or other biometric identifiers were stolen faces lifelong impersonation risk in any system that uses biometrics for authentication.
- Health insurance information in malicious hands enables medical identity theft: fraudulent claims filed under the victim’s name, contaminated medical records, disrupted coverage, and bills for procedures the victim never received.
- Bank account numbers combined with routing numbers give direct access to fund transfer mechanisms. Victims face potential unauthorized ACH withdrawals and wire transfers.
- The three-month notification delay — from June 10 to September 11, 2024 — meant affected customers had no opportunity to place fraud alerts, freeze their credit, or monitor accounts for unauthorized activity during the period of highest risk immediately following the breach.
Economic Inequality
Data breach settlements systematically distribute recovery money in inverse proportion to how much harm people actually suffer. The class action structure creates winners and losers within the affected group:
- People with the time, literacy, and documentation to file a Documented Loss Claim can recover up to $5,000. That group skews toward people who are already more financially stable, more educated, and more familiar with legal processes.
- People who are working multiple jobs, lack consistent internet access, or simply did not receive or understand the notice letter will receive nothing at all, despite being equally harmed.
- The “Alternative Cash Payment” estimated at “$50 or more” is the default for the majority who cannot document losses. Fifty dollars does not cover a credit freeze ($0 in California but not universally), hours spent on hold with financial institutions, or the cost of identity monitoring services.
- California residents receive an additional $100 statutory payment under the California Consumer Privacy Act. Residents of other states — including the Arizona and Oregon plaintiffs named in the original complaints — receive no equivalent statutory benefit, even though the same data was compromised and the same legal claims were asserted on their behalf.
- Up to $241,666.66 in attorneys’ fees flows to three law firms. The three named class representatives can each receive up to $5,000 in service awards. The remaining 34,863 people split what is left.
What $725,000 Actually Buys
The settlement fund is structured in a way that prioritizes process over people. Here is the documented math on what affected individuals actually receive.
- $725,000 total fund divided by 34,866 affected individuals equals approximately $20.80 per person if every dollar went directly to the class. None of it does.
- Up to $241,666.66 goes to attorneys’ fees — one-third of the entire fund. Service awards for three named plaintiffs can reach $5,000 each, totaling up to $15,000. Administrative expenses, notice costs, and taxes are also drawn from the same pool before class members see a dollar.
- The “Alternative Cash Payment” — the option available to anyone who doesn’t document specific losses — is estimated at “$50.00 or more.” That estimate assumes relatively low claim rates. If more people file, the pro-rata amount drops further.
- The settlement contains no admission of wrongdoing. There is no record establishing that LA Financial failed its members. Every future victim of a similar breach at this institution or any other starts their legal fight from scratch.
- LA Financial agreed to implement cybersecurity improvements and spent an estimated $125,000 on those upgrades. The settlement frames this as an additional benefit to class members. It is a cost the credit union had to absorb regardless — the alternative was being more vulnerable to future attacks.
- Any settlement funds that cannot be distributed in increments of at least $3.00 per person go to a nonprofit, not back to the affected members. The people whose data was stolen are legally excluded from those residual dollars.
The “Cost of a Life” Metric
Maximum gross value of the settlement fund per affected person, before attorneys’ fees, administrative costs, and service awards are deducted. This is what LA Financial’s data security failure costs the institution per member whose Social Security number, bank account details, biometric data, or health insurance records were exposed.
The maximum attorneys’ fee award — more than the total individual recovery for approximately 11,600 affected class members combined at the estimated $20.80 gross rate. Three law firms share this amount from the same $725,000 fund that is supposed to compensate 34,866 people.
This Is the System Working as Intended
The LA Financial settlement is not a failure of the class action system. It is the class action system doing exactly what it was designed to do in a data breach case: manage liability, limit exposure, and let the institution continue operating without admitting fault.
- The settlement includes a broad release of all claims “arising from or related to the Data Security Incident” — including claims the class members don’t even know they have yet. The Representative Plaintiffs explicitly waive California Civil Code § 1542, which normally protects people from releasing unknown future claims. That protection is gone.
- Three separate lawsuits, filed within weeks of each other and consolidated within months, resolved through a single full-day mediation session. The speed of resolution reflects that both sides had incentives to settle quickly: attorneys get paid, and the institution avoids discovery, trial, and the public exposure of its security practices.
- The settlement is explicitly “non-reversionary” — no money goes back to LA Financial after the Effective Date. This is framed as a consumer protection feature. It also means LA Financial has every incentive to ensure the settlement fund is seen as generous enough to win court approval, because once approved, it is done. The institution’s exposure is capped at $725,000 plus the $125,000 in security upgrades.
- California residents receive an additional $100 payment under the California Consumer Privacy Act — a law specifically designed to create financial consequences for data breaches. Residents of Arizona and Oregon, whose state consumer protection laws were also cited in the complaint, receive no equivalent benefit. The structural protection available to you depends entirely on your zip code.
- The mediator, the settlement administrator (Epiq), and the three plaintiffs’ firms are all repeat players in the class action settlement ecosystem. The affected 34,866 individuals are, by definition, one-time participants who have no experience navigating the claims process and no ongoing relationship with any of the institutions managing their money.
- LA Financial denies all wrongdoing. The settlement cannot be used against them in future litigation. The credit union’s legal record, as it relates to this breach, is clean. The members whose data was stolen have no such clean record — their Social Security numbers, biometrics, and financial identifiers remain exposed.
What a Legitimate Fix Looks Like
The following recommendations are editorial analysis based on the documented failure modes in this case. They are not findings of the settlement document.
The core structural failure this case exposes: data breach victims bear permanent, irreversible harm while the institutions responsible bear capped, finite liability, admit nothing, and continue operating with their legal record intact.
Regulatory Track
- Mandatory 72-hour breach notification. LA Financial took three months to notify affected members. Federal and state regulators should require financial institutions to notify customers within 72 hours of confirming a breach — consistent with GDPR-style standards that already exist in other jurisdictions — not after internal legal review is complete.
- Biometric data breach protocol. No federal standard currently mandates specific remediation steps when biometric data is exposed. The CFPB and relevant state regulators should establish mandatory protocols for biometric compromise, including lifetime fraud monitoring at institutional expense, because there is no consumer action that mitigates this exposure.
- Pre-breach security audits for institutions holding this data profile. Any financial institution holding the combination of SSNs, biometrics, account numbers, routing numbers, and health insurance data should be subject to mandatory third-party security audits with results reported to regulators, not self-assessed.
Legislative Track
- National data breach statute with uniform per-person minimums. The current framework creates a two-tier recovery system where California residents receive statutory payments unavailable to residents of other states for the same breach and the same harm. A federal baseline per-person statutory damage floor — modeled on the CCPA’s approach — would eliminate this geographic inequality.
- Cap class action attorneys’ fees as a percentage of actual class recovery, not the settlement fund. Allowing attorneys to collect one-third of a fund before class members receive anything creates structural incentives to settle quickly for amounts that benefit counsel more than clients. Fee awards should be calculated after class member distributions, not before.
- Require admission of specific factual findings in settlements involving biometric or health data. No-admission settlements are the norm, but for breaches involving irreversible biometric exposure, the public interest in establishing an accurate factual record outweighs the institution’s interest in a clean legal slate. Courts should require at minimum a stipulated statement of facts as a condition of final approval.
Corporate Governance Track
- Board-level cybersecurity accountability for institutions holding sensitive member data. The settlement documents LA Financial’s agreement to implement unnamed cybersecurity improvements — measures that are kept confidential. Credit union boards and leadership should be required to annually certify to members and regulators that specific security standards are met, with personal liability for material misrepresentation.
- Data minimization as a governance requirement. A credit union does not need biometric data and passport numbers for routine consumer lending. Holding that data profile creates exposure that did not need to exist. Governance standards should require institutions to document the business necessity of each category of sensitive data they retain and purge data that cannot be justified.
Explore by category
Product Safety Violations
When companies sell dangerous goods, consumers pay the price.
View Cases →Financial Fraud & Corruption
Lies, scams, and executive impunity that distort markets.
View Cases →


