After more than a year of legal wrangling and bureaucratic delays, a major lawsuit is moving forward against a fintech giant for its allegedly lax cybersecurity practices.
A Pennsylvania credit union is taking on Fiserv, a Fortune 500 company that claims clients in over 100 countries, in a case that is a test of the legal obligations big financial firms have to protect client data.
Bessemer System Federal Credit Union’s (FCU) originally sued Fiserv in April 2019. After moving to federal court, the case took on new life Tuesday when a judge in the Western District of Pennsylvania ruled that the court would hear some of the credit union’s claims against Fiserv.
The credit union accuses Fiserv, one of three companies that provide the majority of digital infrastructure used by small banks, of taking cybersecurity for granted.
“Rather than addressing the problems by updating its security, Fiserv continued to use outdated security methods long after vulnerabilities were brought to Fiserv’s attention,” the credit union’s legal complaint says.
Bessemer System FCU claims that the online banking platform Fiserv provided the union’s members was so riddled with vulnerabilities that it exposed them to possible identity theft. The credit union is seeking an unspecified amount of monetary relief from Fiserv’s alleged breach of contract and misappropriation of trade secrets, among other allegations. On its website, Fiserv claims to offer customers ample protection against hacking threats.
“We believe the allegations have no merit and will respond to them as part of the legal process,” Fiserv spokeswoman Ann Cave said.
Attorneys representing Fiserv did not respond to a request for comment.
Wisconsin-based Fiserv had tried to get Robert Colville, the Pennsylvania judge, to dismiss the 13 claims for relief that the credit union made against it. But Colville ruled that the court would hear the claim that Fiserv breached its main contract with the credit union and, among others, the claim that the fintech company had violated a federal trade secrets law. Colville dismissed other claims accusing Fiserv of negligence and unfair trade practices.
“Bessemer System Federal Credit Union takes the protection of its members’ information seriously,” said Charles Nerko, an attorney for the credit union. He said Bessemer System FCU was transitioning to a new online banking vendor and would “continue to take appropriate legal actions” against Fiserv.
Stephen Reynolds, a partner focused on data security at the Ice Miller law firm, said the case “should serve as a reminder to financial institutions that security and trust are priorities for many companies.” Federal regulators are increasingly taking a hard look at data security practices in the fintech industry “and failure to follow these best practices can result in millions in fines or irreparable reputational harm,” Reynolds said.
Fiserv is not the only big financial institution whose security practices are in the legal spotlight. In May, a federal judge ordered Capital One to essentially hand over a third-party incident response report to attorneys for bank customers who are suing Capital One over a massive data breach.