A recent high-profile incident shows how vendor-driven data breaches can trigger litigation against financial institutions, with at least two putative class actions filed within weeks of a bank confirming a third-party breach, even though the alleged conduct appears to have occurred at the vendor.
According to public reporting, the intrusion took place at a third-party vendor; yet the bank, not the vendor, is defending negligence, breach of fiduciary duty, breach of implied contract, and unjust enrichment claims on behalf of a putative nationwide class.
The piece argues that a bank’s perimeter now extends to wherever its data resides, highlighting three intertwined risks for bank leadership: vendor risk management, evolving theories of liability, and regulatory compliance with the Interagency Guidelines Establishing Information Security Standards. It notes that these Guidelines were issued under the Gramm-Leach-Bliley Act and that there is a rapidly expanding patchwork of state data security and consumer privacy laws.
The article, published on 6 May 2026, urges GCs, CTOs, CIOs, CISOs and COs to re-examine how third-party breaches intersect with liability and compliance.