Bessemer Sys. Fed. Credit Union v. Fiserv Sols.

BESSEMER SYSTEM FEDERAL CREDIT UNION, on behalf of itself and members, Plaintiff, v. FISERV SOLUTIONS, LLC and FISERV, INC., Defendants.

No. 2:19-cv-00624-RJC

United States District Court, W.D. Pennsylvania

September 15, 2021

MEMORANDUM OPINION

Robert J. Colville United States District Judge

Before the Court is the Motion to Dismiss Counterclaims (ECF No. 92) filed by Plaintiff/Counterclaim-Defendant Bessemer System Federal Credit Union (“Bessemer”). Bessemer seeks dismissal, pursuant to Fed.R.Civ.P. 12(b)(6), of the Counterclaims set forth by Defendant/Counterclaimant Fiserv Solutions, LLC, f/k/a Fiserv Solutions, Inc. (“Fiserv Solutions”) in the operative “First Amended Answer and Affirmative Defenses to Second Amended Complaint and Counterclaims” (ECF No. 88).^[1] The Court has jurisdiction in this matter pursuant to 28 U.S.C. § 1332(a). Bessemer's Motion has been fully briefed, and is ripe for disposition.

I. Factual Background & Procedural History

A comprehensive factual background of this case was set forth in this Court's July 14, 2020 Opinion (ECF No. 69) in this matter, which addressed a Motion to Dismiss (ECF No. 52) that had been filed by Defendants with respect to Bessemer's operative Second Amended Complaint (ECF No 48) (“Complaint”). In the interest of judicial economy, the Court sets forth below the facts alleged in the Complaint largely verbatim to its summary of such facts in the July 14, 2020 Opinion, but notes that: (1) certain of Bessemer's claims related to such allegations were dismissed by way of the Order of Court (ECF No. 70) accompanying the Court's Opinion; (2) the Court has omitted allegations and averments set forth in the Complaint that are not relevant herein from its summary and has supplemented its summary with additional allegations and averments from the Complaint that are relevant herein; and (3) Defendants have denied many of the below allegations.^[2]In its Complaint, Bessemer sets forth the following allegations:

Bessemer is a member-owned, federally chartered not-for-profit credit union. Compl. ¶ 10, ECF No. 48. Bessemer provides financial services to its more than 4, 000 members. Id. At ¶ 11. Defendants provide technology solutions to credit unions, banks, and other financial services providers. Id. at ¶ 20. Bessemer and Fiserv Solutions were parties to the Master Agreement pursuant to which Defendants provided services and products to Bessemer.^[3] Id. At ¶ 26. Defendants provided account processing services to Bessemer, including a core processing system referred to as “Charlotte.” Id. at ¶ 21. Core processing systems process and record all financial transactions for a financial institution. Id. Defendants also hosted Bessemer's online banking website “Virtual Branch, ” through which Defendants processed Bessemer members' online account transactions. Id. at ¶ 22.

Prior to entering into the Master Agreement, Defendants represented to Bessemer, by way of a February 27, 2012 email, that the Virtual Branch online banking website satisfied Federal Financial Institutions Examination Council (“FFIEC”) requirements despite the fact that Virtual Branch did not satisfy these requirements. Compl. ¶ 29-33, ECF No. 48. Despite several representations and advertisements asserting that Defendants' services were of a certain quality, as well as secure and private, Defendants' performance was purportedly not in accordance with such representations or the Master Agreement. Id. at ¶¶ 34-43. Defendants implemented lax and weak security controls to protect the accounts and valuable confidential information of Bessemer's members, and Defendants were put on notice on several occasions such that Defendants knew that their security measures were insufficient. Id. at ¶¶ 47-79. Defendants suffered a security breach in 2016 which caused Defendants to provide confidential Bessemer member information to another financial institution. Id. at ¶ 48, ECF No. 48. Defendants also placed the wrong return address on biannual account verifications in 2017. Id. at ¶ 49. Defendants ceased installing and updating antivirus software on Bessemer's systems at some point without explanation. Id. at ¶ 50. Despite being aware of the aforementioned security lapses, and despite receiving notice from Bessemer, other customers, and the media that Defendants' security measures were inadequate, Defendants only took action to remedy their security deficiencies after receiving negative press coverage. Id. at ¶¶ 47-79. Defendants' attempts to fortify their security after receiving notice of its security deficiencies were also purportedly ineffective and deficient. Id. at ¶¶ 64-65; 78.

In July 2018, Defendants falsely represented to Bessemer that a member's account had been closed and made changes to that member's account, temporarily depriving the member of dividends and access to the member's account. Compl. ¶ 88, ECF No. 48. On several occasions, Defendants' system provided inaccurate and falsified loan information and documents to Bessemer and its members. Id. at ¶¶ 90-96. Despite being aware of problems with their system which caused these inaccuracies, Defendants did not take action to remedy these problems. Id. at ¶¶ 93-94, 98.

Defendants' account processing system suffered from a number of bugs and defects which resulted in, inter alia, Bessemer's and its members' inability to access account processing services, system crashes and errors, latency in the account processing services, errors in the information reported by Defendants' system, and failure to perform the necessary services which the system was supposed to provide. Compl. ¶¶ 99-115, ECF No. 48. Defendants repeatedly issued erroneous invoices to Bessemer that contained incorrect balances and also charged for services that did not function properly or that Bessemer had asked Defendants to cease providing. Id. at ¶ 128. Defendants represented that certain hardware upgrades would remedy the issues Bessemer was experiencing with Defendants' system. Id. at ¶¶ 129-131. Bessemer made the recommended upgrades, but such upgrades did not remedy the issues Bessemer was experiencing with respect to Defendants' system. Id. Defendants also misrepresented the cost for an additional service under the Master Agreement requested by Bessemer. Id. at ¶ 134. Defendants stopped providing Office of Foreign Assets Control scans for Bessemer, did not provide the requisite written notice to Bessemer regarding this service, and tasked Bessemer with performing these scans. Id. At ¶ 135. Defendants did not adequately address support requests submitted by Bessemer with respect to issues with Defendants' system. Id. at ¶ 137.

On January 8, 2018, Bessemer sent a “Notice of Breach” to Fiserv Solutions invoking the dispute resolution provision of the Master Agreement. Compl. ¶ 139, ECF No. 48. By way of this Notice, Bessemer also requested that Defendants provide documents to Bessemer related to Defendants' security measures and to invoices that had been provided by Defendants to Bessemer. Id. at ¶¶ 140-145. Defendants failed to provide any such documentation to Bessemer, and failed to participate in good faith in the dispute resolution process set forth in the Master Agreement. Id. at ¶¶ 146; 150.

Bessemer sent a notice of termination of the Master Agreement to Defendants on April 11, 2018. Compl. ¶ 152, ECF No. 48. Following negative media coverage in August of 2018 respecting Defendants' purportedly inadequate security measures, Bessemer undertook what it refers to as a “security review” of Defendants' security controls. Id. at ¶¶ 58-59. The “security review” uncovered critical security flaws with respect to Defendants' online banking system. Id. at ¶ 59. More specifically, Bessemer asserts that the only requirements imposed by Defendants for registering for an online banking account with Bessemer were: (1) an account number; and (2) the last four digits of the member's Social Security number. Id. at ¶ 60. Bessemer asserts that this information can easily be guessed or fraudulently obtained, and further alleges that Defendants failed to implement a “lockout” system, which in turn enabled anyone to make unlimited guesses (or use an automated system to make such guesses) as to the last four digits of the member's Social Security number. Id. at ¶¶ 60-62. Bessemer asserts that these security measures were deficient, and alleges that the “security review” further uncovered an issue with Defendants' online banking system that allowed a user to bypass the webpage which required a member to accept Bessemer's online banking website's terms of service. Id. at ¶¶ 63; 66. Defendants attempted to implement additional security controls during the course of Bessemer's “security review, ” but the same were ineffective. Id. at ¶¶ 64-65.

Bessemer notified Defendants via letter dated September 28, 2018 that the “security review” had taken place, and further informed Defendants of the security vulnerabilities revealed by way of the “security review” and also requested documents from Defendants to allow Bessemer to conduct an audit of Defendants' security practices. Compl. ¶ 67, ECF No. 48. In response, Defendants through their counsel, sent a responsive letter dated September 30, 2018 to Bessemer informing Bessemer that Bessemer's “security review” constituted a breach of the Master Agreement and that the same was also illegal under the common law and statutory law. Id. at ¶ 68; see also Answer ¶ 68, ECF No. 88. The September 30, 2018 letter further requested that Bessemer: (1) turn over certain information; (2) preserve and maintain records; and (3) not disseminate or disclose information obtained via the “security review.” Compl. Ex. 7 at 3-4, ECF No. 48-8. Bessemer's counsel sent a responsive letter to Defendants'...