CYBERSECURITY CASE WATCH – BESSEMER v. FISERV
Despite the immature procedural history, Bessemer v. Fiserv is fascinating expose of possible legal liabilities when a MSP/MSSP allegedly fails to deliver promised services to a client. This two-part article provides a brief snapshot of this complicated case to date and offers 4 tips on how to avoid similar lawsuits.
Bessemer Sys. Fed. Credit Union v. Fiserv Sols., LLC, C.A. 2:19-cv-00624-RJC (W.D.Pa. 2020).
Bessemer is a federal credit union with more than 4,000 members. Fiserv provides technology solutions to financial services providers, which included Bessemer. Bessemer and Fiserv executed a Master Services Agreement (“MSA”), requiring Fiserv to provide processing services to Bessemer, an online banking website, and cybersecurity.
Prior to executing the MSA, Fiserv represented to Bessemer that the online banking website satisfied Federal Financial Institutions Examination Council ("FFIEC") requirements. This proved incorrect and Bessemer further alleged that Fiserv knowingly implemented lax and weak security controls.
As a result of Fiserv’s purported fraudulent behavior, failure to maintain anti-virus/malware software, and breach of the MSA, Bessemer claims it suffered several security breaches. Bessemer’s member data was sent to incorrect financial institutions and compromised, creating data errors and account inaccessibility. Members also missed dividend payments and Bessemer’s computer system crashed.
Following the parties attempt at alternative dispute resolutions, they executed a settlement agreement that required Fiserv to return Bessemer’s customer records, pay damages, and provide deconversion services. Fiserv purportedly breached the settlement agreement, prompting Bessemer to file suit in the Western District of Pennsylvania for claims ranging from breach of contract to fraud. In response to Bessemer’s 13 causes of action, Fiserv filed a preliminary motion to dismiss. The Court dismissed several of the claims as generally duplicative, untimely, or barred by the MSA. However, the Court maintained the following actions, which pose great financial threat to Fiserv:
1. Fraudulent Inducement Claim
Bessemer alleged that it could not have reasonably discovered that Fiserv misrepresented FFIEC compliance regarding the banking website. While potentially time-barred, the Court could not determine when or how Bessemer could have discovered the misrepresentation. Therefore, claim was maintained, which now allows discovery on the issue.
2. Bailment Claim
"A bailment is a delivery of personalty for the accomplishment of some purpose upon a contract, express or implied, that after the purpose has been fulfilled, it shall be redelivered to the person who delivered it, otherwise dealt with according to his directions or kept until he reclaims it." Price v. Brown, 545 Pa. 216, 680 A.2d 1149, 1151-52 (Pa. 1996). The Court held that Bessemer sufficiently alleged bailment in stating that it provided its account records and information in a tangible format to Fiserv, which Fiserv (who had exclusive control over such records) failed to return and actually damaged.
3. Misappropriation of Trade Secrets Claim and Defend Trade Secrets Act Claim
In support of both its claim for misappropriation of trade secrets under the Pennsylvania Uniform Trade Secrets Act ("PUTSA") and its claim for violation of the federal Defend Trade Secrets Act ("DTSA"), Bessemer asserts that Fiserv misappropriated Bessemer's trade secrets by acquiring them through improper means, namely: false acts, omissions, concealment, and misrepresentations (specifically regarding the security controls that would be used to protect Bessemer's trade secrets). Bessemer asserts that Fiserv misappropriated Bessemer's trade secrets by failing to return them after Fiserv was terminated and by exposing the trade secrets to the threat of hackers. The Court declined to dismiss these claims given the need to examine whether the "member information" and other purported trade secrets asserted by Bessemer have some independent economic value in this case.
4. Breach of the MSA
The Court denied Fiserv's Motion to Dismiss as to Bessemer's claim for breach of the MSA, as it was not necessary for Bessemer to state exactly which provisions of the MSA were breached by Fiserv.
5. Claim for Punitive Damages
The Court held that Bessemer’s fraud claims were exempt from the MSA's Limitation of Liability provision.
Therefore, Fiserv may not just be forced to pay realized economic losses but be financially sanctioned in a manner designed to punish it for any proven misdeeds.
Bessemer will be an enormously expensive suit to both prosecute and defend. For Fiserv, it is a lose-lose, as regardless of the ultimate award, its reputation is severely damaged in the financial marketplace and defending the litigation will cost hundreds of thousands of dollars. Without dissuading those needing judicial intervention, MSSPs/MSPs and their clients should consider the following bits of advice before entering in MSAs:
1. MSSPs/MSPs – the Bessemer court’s recent opinion takes a conservative approach to Fiserv’s potential liability (in my opinion). A California, Missouri, Illinois, Florida, or Louisiana court, whether State or Federal, may take a different position. Make sure to tread lightly in the courtrooms of states with high-rates of plaintiff-positive verdicts in commercial liability matters.
2. MSSPs/MSPs – NEVER misrepresent or embellish capabilities. If there is doubt about a projected or current capability, do not advertise it. While there is very limited case law regarding liabilities imposed on MSSPs/MSPs, fines imposed by the Federal Trade Commission and the Office of Civil Rights, Department of Health and Human Services are increasing. It is expected that Judges and Juries will mimic this trend.
3. Clients – get assistance from an attorney before entering into MSP/MSSP agreements and ensure your internal staff or an outside IT consultant can verify MSP/MSSP capabilities. Insist on seeing the MSSP/MSP’s cyber liability insurance, ask to be added as an additional insured in appropriate circumstances, and consider requiring the use of binding arbitration for MSAs. Courtroom publicity is unfavorable for either the plaintiff or defendant, as it exposes both parties to additional liabilities with third parties.
4. Clients – blind reliance on MSP/MSSPs absent independent investigation will not be favorably reviewed by any court, especially for financial institutions and in states like New York. Do not expect to sign away all cybersecurity responsibilities and claim naivete in the event of a serious security incident.