When Your Vendor’s Breach Becomes Your Lawsuit: Privacy Risk Lessons from Recent Bank Litigation | FBT Gibbons LLP
https://www.jdsupra.com/legalnews/when-your-vendor-s-breach-becomes-your-8586080/
Publish Date: 2026-05-12 17:18:00
Source Domain: www.jdsupra.com
A recent high-profile incident illustrates the growing litigation and regulatory risks that financial institutions face from vendor-driven data breaches. Within weeks of a national bank confirming a data security incident at a third-party service provider, at least two putative class actions were filed, though none of the alleged conduct appears to have occurred within the bank itself. According to public reporting, the intrusion took place at a third-party vendor; yet the bank, not the vendor, is now defending negligence, breach of fiduciary duty, breach of implied contract, and unjust enrichment claims on behalf of a putative nationwide class.
The bank matter is the latest — but likely not the last — reminder that, from a cybersecurity and litigation standpoint, a financial institution’s perimeter is not where its servers end; rather, it extends to wherever its data resides. For bank general counsel (GCs), chief technology officers (CTOs), chief information officers (CIOs), chief information security officers (CISOs), and compliance officers (COs), this litigation validates three distinct but interlocking risks worth re-examining: (1) vendor risk management, (2) litigation exposure under evolving theories of liability, and (3) regulatory compliance with the Interagency Guidelines Establishing Information Security Standards (“Guidelines”)[1] issued under the Gramm-Leach-Bliley Act (GLBA), plus the rapidly expanding patchwork of state data security and consumer privacy laws.
The Fact Pattern Banks Should Recognize
The publicly reported allegations follow a familiar pattern. A threat actor compromises a service provider that processes or stores customer data on the bank’s behalf. The bank itself is not compromised, but its customers’ non-public personal information (NPI) — names, addresses, account numbers, Social Security numbers, drivers’ license numbers, and dates of birth — is exfiltrated.[2] The bank investigates, notifies regulators…
