While the details of this are interesting, what is more important is thinking about all of the contracts that you sign.
This is a legal battle that goes back several years.
In one corner is Fiserv, the Fortune 200 +/- financial services software behemouth.
In the other corner is Bessemer System Federal Credit Union, a small community credit union in Pennsylvania.
In 2018 Brian Krebs reported bugs in Fiserv’s platform that allowed one customer to see another customer’s name, address, bank account number and phone number.
So Bessemer FCU did some more testing and found more bugs – security holes.
According to the credit union, Fiserv responded with an aggressive notice of claims, attempting to silence Bessemer if they discussed these security bugs with third parties, including other Fiserv customers.
In the end Bessemer sued Fiserv and Fiserv counterclaimed.
Fiserv said Bessemer breached its contract, among other things, and wanted attorney fees.
Much of the argument seems to be around the security review, which, if accurate, shows that Fiserv’s software is not secure, something other Fiserv customers might want to know about.
Fiserv says that Bessemer just wants to embarrass Fiserv and get out of paying some bills.
Without spending a lot of time reviewing legal documents, it appears that Bessemer was not happy with Fiserv’s response to being notified about the bugs (like in fixing them, soon) and wants to terminate the contract.
Fiserv, appears to want to silence a critic (boy is that failing) and doesn’t want to let the customer out of its contract.
So what does that mean for you if you sign a contract with a vendor? Here are some thoughts.
- The vendor is going to want you to sign as long a contract as possible and will usually offer you a price incentive to do so. If this is a new vendor, that is likely not a good deal for you. Shorter might make more sense.
- You should review the reasons that you can terminate the contract and what that termination will cost you.
- You should look for any clauses that stop you from talking about the vendor’s product quality. This is different than disclosing secrets. While bugs and security flaws may be secret, they should not be covered by these types of contract restrictions.
- Vendors should have a fixed amount of time to fix serious bugs or you should be able to terminate your contract.
- The contract should spell out that the vendor is liable for your losses as a result of security bugs. Software vendors will resist this like the plague, but why should you be responsible for their bad software.
The lawsuit is ongoing. It will be interesting to see how this works out. Given this is now in the news, Fiserv might be smart to try and make it go away. Quietly. A trial could be ugly. On the other hand, Fiserv has a lot more money than Bessemer does.
But think about those contracts you signed and how you would fare in a similar situation.
On the other side, if you are a software vendor, how would you handle this situation.
Credit: Security Week