Credit union’s lawsuit against Fiserv is a test for cybersecurity liability

The credit union claims that Fiserv's online banking platform was so riddled with vulnerabilities it exposed its members to possible identity theft.
Fiserv's office in Beaverton, Oregon. The fintech giant is facing a lawsuit in federal court for allegedly shoddy security practice. The firm has denied the allegations. (Getty Images)

After more than a year of legal wrangling and bureaucratic delays, a major lawsuit is moving forward against a fintech giant for its allegedly lax cybersecurity practices.

A Pennsylvania credit union is taking on Fiserv, a Fortune 500 company that claims clients in over 100 countries, in a case that is a test of the legal obligations big financial firms have to protect client data.

Bessemer System Federal Credit Union’s (FCU) originally sued Fiserv in April 2019. After moving to federal court, the case took on new life Tuesday when a judge in the Western District of Pennsylvania ruled that the court would hear some of the credit union’s claims against Fiserv.

The credit union accuses Fiserv, one of three companies that provide the majority of digital infrastructure used by small banks, of taking cybersecurity for granted.


“Rather than addressing the problems by updating its security, Fiserv continued to use outdated security methods long after vulnerabilities were brought to Fiserv’s attention,” the credit union’s legal complaint says.

Bessemer System FCU claims that the online banking platform Fiserv provided the union’s members was so riddled with vulnerabilities that it exposed them to possible identity theft. The credit union is seeking an unspecified amount of monetary relief from Fiserv’s alleged breach of contract and misappropriation of trade secrets, among other allegations. On its website, Fiserv claims to offer customers ample protection against hacking threats.

“We believe the allegations have no merit and will respond to them as part of the legal process,” Fiserv spokeswoman Ann Cave said.

Attorneys representing Fiserv did not respond to a request for comment.

Wisconsin-based Fiserv had tried to get Robert Colville, the Pennsylvania judge, to dismiss the 13 claims for relief that the credit union made against it. But Colville ruled that the court would hear the claim that Fiserv breached its main contract with the credit union and, among others, the claim that the fintech company had violated a federal trade secrets law. Colville dismissed other claims accusing Fiserv of negligence and unfair trade practices.


“Bessemer System Federal Credit Union takes the protection of its members’ information seriously,” said Charles Nerko, an attorney for the credit union. He said Bessemer System FCU was transitioning to a new online banking vendor and would “continue to take appropriate legal actions” against Fiserv.

Stephen Reynolds, a partner focused on data security at the Ice Miller law firm, said the case “should serve as a reminder to financial institutions that security and trust are priorities for many companies.” Federal regulators are increasingly taking a hard look at data security practices in the fintech industry “and failure to follow these best practices can result in millions in fines or irreparable reputational harm,” Reynolds said.

Fiserv is not the only big financial institution whose security practices are in the legal spotlight. In May, a federal judge ordered Capital One to essentially hand over a third-party incident response report to attorneys for bank customers who are suing Capital One over a massive data breach.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts