KNOXVILLE, Tenn. A state appeals court on Wednesday overturned a lower court’s ruling and revived a civil suit brought by Copper Basin FCU and CUMIS Insurance against Fiserv over a July 2009 computer breach that cost the Copper Hill, Tenn., credit union a loss of almost $550,000.
The Court of Appeals for Tennessee ruled that the lower court erred in dismissing the suit on the grounds that a Master Agreement between the credit union and Fiserv’s Integrasys unit required all disputes to be arbitrated in New York and that the credit union and its insurer waited too long to file the suit.
The suit claims that Integrasys had been performing antifraud services for Copper Basin FCU which required the credit union to purchase Trend Micro Antivirus Firewall and Protection software and that Integrasys failed to properly activate the anti-fraud software. This allowed hackers to infiltrate the credit union systems to change user names and passwords in order to originate a series of transfers from the credit union’s account with Volunteer Corporate CU into a large number of privately-owned accounts distributed in banks across the U.S., according to the suit.
Once the theft was discovered, the credit union and VolCorp were able to retrieve all but $545,000 of the stolen funds. In January 2010, CUMIS paid a bond of claim of $540,000 to cover the losses, which included a $5,000 deductible.
The credit union claims it contacted Fiserv/Integrasys to inform the company that the system had been compromised, according to the suit. Because there were no Fiserv personnel on site, a Copper Basin FCU employee attempted to access the Trend Micro Antivirus Protection System. Following a few attempts at guessing the password, she was successful in gaining access to the system. Once access was accomplished, she discovered that the software had never been activated by Fiserv. When the credit union employee clicked the respective icon to activate the software, it immediately engaged, updated its virus definitions (which were more than 60 days old), and began protecting the Copper Basin computer system.
The credit union allege that Fiserv owed a duty of professional competency in providing the web defense and technical support services, but that Fiserv breached that duty by failing to activate the software and failing to protect Copper Basin's computer system.
The state appeals court in using Tennessee law ruled that the credit union did not file the suit too late and that the credit union’s claim was validly governed by a 2007 Master Agreement signed by the credit union. It also has proven damages consequential enough to survive the Fiserv motion to dismiss.
“Taking all of these allegations as true, as this Court must, we conclude that the trial court erred in granting Fiserv's motion to dismiss,” ruled the appeals court. As a result, the panel said the trial court's order dismissing Copper Basin’s claims against Fiserv is vacated, and the case is remanded for further action consistent with this opinion.
