LOS ANGELES — POLAM Federal Credit Union has become the latest credit union to file a federal lawsuit accusing Fiserv of misrepresenting the security of its systems and exposing sensitive member data, including allegedly sharing confidential information between credit unions.
The complaint, filed March 5 in the U.S. District Court for the Central District of California, alleges that Fiserv failed to implement basic cybersecurity protections while assuring POLAM that its systems met industry and federal security standards. Similar to other lawsuits, the POLAM FCU complaint further alleges the data processor attempted to force the credit union to purchase a replacement security product while still under contract.
The case was filed by NERKO PLLC, a law firm formed to represent credit unions in disputes with third-party vendors, which is led by Managing Partner Charles Nerko, who is representing five other credit unions in litigation against Fiserv.
The $70-million POLAM FCU serves members of the Polish-American community in Southern California and said it relied on the assurances it was given when it contracted with Fiserv to provide core technology services under a 2014 master agreement and later amendments.
Similar to the other lawsuits, too, the credit union alleges Fiserv’s systems lacked basic safeguards such as proper multi-factor authentication and instead used weaker methods such as email passcodes or, in some cases, no multi-factor authentication at all.
Key Allegation
A key allegation in the complaint that differs from some of the other suits filed involves the handling of confidential data. The filing states that Fiserv “disclos[ed] them to unauthorized third parties,” including instances in which another credit union’s sensitive information was sent to POLAM and, conversely, POLAM’s confidential information was disclosed to other credit unions.
“Fiserv has failed to handle POLAM’s and other financial institutions’ data with basic and reasonable care, disclosing them to unauthorized third parties,” the complaint states. “Fiserv has sent another credit union’s extraordinarily sensitive confidentialinformation to POLAM. Likewise, Fiserv disclosed POLAM’s extraordinarily sensitive confidential information to other credit unions. Fiserv’s safeguards are grossly deficient, noncompliant, and below any reasonable standard of care.”
POLAM alleges that Fiserv has put at risk highly sensitive information such as member names, Social Security numbers, account numbers, balances and transaction histories, which it alleges exposes members to risks including identity theft, fraud and unauthorized account access.
Not NIST Compliant
The lawsuit also claims Fiserv misrepresented its cybersecurity practices by stating that its security program aligned with the National Institute of Standards and Technology (NIST) cybersecurity framework, which the complaint alleges was not the case.
POLAM further alleges that Fiserv is attempting to pressure customers to purchase new security products or pay significant termination fees if they seek to leave its platform.
The credit union is seeking damages, recovery of payments for services it claims were deficient, and court orders preventing Fiserv from imposing exit fees and requiring improved safeguards to protect member information.
The complaint demands a jury trial.
The CU Daily has contacted Fiserv for comment.
