In late 2025, a breach notification letter arrived from an outsourcing company the recipient had never engaged, about data it had never knowingly shared with the sender. The notice came from Conduent, which processes data on behalf of health insurers across 46 states.
The intrusion had gone undetected for nearly three months and taken 11 months to generate a notification. The breach affected at least 25 million people nationwide, 15.5 million of them in Texas, whose attorney general described it as one of the largest healthcare data breaches in U.S. history.
Three Vantage Points, One Obligation
The breach surfaces a fundamental problem at the root of most data governance failures. To the institution that collected it, data is an asset. After a breach, it becomes a liability. To the person whose information was taken, it was always their identity.
That lens fragmentation is not just an analytical inconvenience. When an institution views data primarily as an asset, it optimizes for collection and retention. When it views it as a liability, it optimizes for legal protection.
Neither posture asks the question that privacy law and regulation have always required: What is owed to the person?
The Federal Trade Commission Safeguards Rule, under the Gramm-Leach-Bliley Act (GLBA), is explicit: The regulated institution owns the duty to protect customer data, permanently, regardless of where that data travels. This is reinforced by the Federal Reserve SR 23-4 (interagency) guidance stating that the use of third parties does not diminish an institution's responsibility to perform any activity in a safe and sound manner.
The obligation runs to the person – a not to a vendor contract, not to a network perimeter, and not to a regulator's enforcement calendar.
While a company that loses data pays a fine and engages a public relations firm, a person who loses their data manages the consequences for the rest of their life. In Conduent's case, direct response costs are reported at $25 million, primarily for notification. Regulatory fines, litigation settlements, and reputational damage remain unquantified at the time of this writing. The asymmetry is not incidental. It is structural – and it persists because most institutions have sought to contract around the obligation the law assigns them.
Authorization Is Not Consent
The millions affected in the Conduent breach did not knowingly engage Conduent. They signed up with a healthcare provider. Their data traveled downstream through a chain of processors and subcontractors, each handoff technically authorized, none meaningfully consented to.
Astrid Yee-Sobraques
This is the legal architecture companies have built over decades to manage their exposure. Buried within primary service agreements sit Third-Party Affiliate or Service Provider clauses that extend data access to an undefined network of downstream processors. These clauses create a chain of permissions the consumer never sees, attached to a transaction they perceived as bilateral.
The authorization was obtained; the consent was not. The difference is not semantic.
Authorization is a technical permission: Can this party access the data? Consent is a moral and legal agreement: Did the individual agree to this specific use, by this specific party, for this specific purpose? When authorization is buried in terms of service, it is a liability management tool masquerading as privacy protection.
The fiduciary obligation was created the moment the institution accepted custody of data that belongs to a person. Legal architecture can limit exposure. It cannot discharge the fiduciary duty.
The Reckoning
On April 20, 2026, the Everest ransomware group posted Citizens Financial Group and Frost Bank on its dark web extortion site. The claimed exposure: 3.4 million Citizens records containing names, addresses, and account numbers; and 250,000 Frost Bank records containing Social Security numbers, tax identification numbers, mortgage rates, and income data.
Both institutions confirmed the breach and stated that their own networks had not been compromised – a technically accurate statement, but legally not relevant. GLBA does not ask whose server it was on. It asks whose customer it was.
Citizens subsequently characterized the exposed data as largely masked test data. That framing raises a question that litigation may ultimately answer. Masked data that contains sufficient personally identifiable information to enable harm to a real individual does not shed its fiduciary obligation simply because an institution chose to label it otherwise.
Among six class action lawsuits filed within four days, one warrants particular attention. Rather than seeking damages, it asks a federal court to declare the banks’ data security posture inadequate. That is an attempt to enforce the duty owed to the people whose data was in a vendor's environment and never stopped being accountable for.
This case illustrates citizen advocacy stepping into a void where corporate self-governance has been insufficient and regulatory enforcement inconsistent. The standards of care that institutions should set for themselves are now being sought in a federal courthouse.
Third Parties Are Not a Risk Type
Why does this case matter? The category of the problem is wrong – third-party risk management as a discipline was built around the wrong unit of analysis from the start.
"Third-party risk management” is itself a misnomer because it implies a separate category of risk that lives outside the institution's walls. It isn’t so. The third party is the venue.
Institutions have treated data as a risk to be managed rather than a trust to be stewarded. They built vendor management frameworks that govern the relationship – service levels, delivery timelines, contractual warranties – while the actual obligation remains under-governed.
For most organizations, once the vendor passes the SOC2 audit and signs the contract, the risk is considered addressed. A vendor management program looks at vendor performance. The right risk management question is different in kind. It requires continuous data lineage – knowing not just which vendors hold data, but precisely where it resides within their environments and whether it has traveled further. It requires obligation mapping – ensuring the fiduciary duty is embedded in the vendor's operational workflows, not just their legal warranties. And it requires active verification: not “trust but verify”, but “verify or terminate”.
What Must Change
Risk managers must stop relying on vendor health scorecards and start tracking data lineage, which measures data movement. Fulfilling the fiduciary obligation requires specific operational decisions.
Data classification must be driven by the regulatory accountability that attaches to the data – not by vendor size, spend, or service tier. A statement printer holding Social Security numbers carries the same regulatory exposure as a core banking system.
Contractual representations must become measurable performance obligations with consequences, not warranties of adequacy that satisfy a procurement checklist and are never tested again.
Audit rights must be exercised, not reserved. The right to audit a vendor is meaningless if it has never been used. Classification should determine intensity. A vendor holding government identifiers warrants direct scrutiny on a defined cadence.
The board's data exposure map must show where regulated data flows. Boards must be able to identify, by name and role, who in the organization is accountable for the people whose data they hold.
Conclusion
The Citizens/Frost class actions extend past the breach to examine whether an institution can demonstrate, to a federal court's satisfaction, that it honored its fiduciary obligation since taking custody of customer data. That has little to do with the vendor relationship.
Privacy law has always required a single lens: The data belongs to the person, and the duty runs to that person, permanently.
If asked in court today to prove that a fiduciary duty to a single customer whose data is now on the dark web had been honored, could the institution show an unbroken chain of accountability – or just a signed contract with a compromised vendor?
Astrid Yee-Sobraques, FRM, CISSP is a senior risk executive in Enterprise Risk Management, Operational Resilience and Cybersecurity. Over 25 years at GE Capital, AIG, Citibank, and PwC, she specializes in “risk connectivity” – integrating people, processes, and data to strengthen how organizations anticipate, manage, and respond to cascading financial, operational, and compliance risks. Her current work examines how geopolitical, cyber, and financial disruptions converge into systemic risk cascades – and how governance frameworks must evolve to meet them. Astrid serves on GARP’s New York Chapter Advisory Committee. She can be reached at Astrid@therisksherpa.com.
Topics: Data, Cybersecurity, Third Party Risk