Posted on 08/28/2018 at 10:36 AM by John Lande
Security blog Krebs on Security is reporting that Fiserv, Inc. recently implemented a fix for a “glaring weakness” that “exposed personal and financial details of countless customers across hundreds of bank Web sites . . . .” The full Krebs article can be found here. The security flaw apparently allowed fraudsters to insert code into their web browsers, and obtain financial information about bank customers, including their email address, phone number, and last four digits of their bank account numbers. According to the article, Fiserv claims to have corrected the error.
This is a serious problem for financial institutions. The attorneys at Dickinson Law have reviewed many vendor service agreements between financial institutions and vendors like Fiserv. This blog has previously covered issues with these vendor agreements. These agreements almost always try to put the risk on financial institutions if there is a security breach, even if the vendor is responsible for the breach. Many of these vendor agreements also have lax reporting requirements for the vendor to report any potential breach to the financial institution.
This is potentially damaging to financial institutions because Gramm Leach Bliley (“GLB”) may require financial institutions to notify depositors of the security breach even though the institution was not responsible. Many vendor agreements do not include any obligation for the vendor to reimburse financial institutions for costs associated with responding to a breach, even if the vendor is responsible for the breach. Even when the agreement does require the vendor to indemnify the financial institution, the contracts often limit the total indemnification to the amount the financial institution pays in fees to the vendor. The costs of compliance may, in some cases, dwarf those fees so institutions should try to negotiate exceptions to those limits.
Financial institutions need to spend time reviewing their vendor agreements. The time to figure out who pays for a security breach is not when the breach occurs, but the months and years before a breach. Financial institutions should also determine whether or not the Fiserv breach has subjected them to potential GLB compliance issues, and whether Fiserv has any obligation to help them pay for the compliance costs.
Financial institutions should take time during the next contract renewal period to try to correct any imbalances in their vendor agreements. Knowledgeable attorneys can help financial institutions identify key gaps in their vendor agreement coverage, and try to provide better coverage for events like this.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.