Infosys Settles Data Breach Class Action Lawsuits for $17.5M

By Cybersol·March 19, 2026·6 min read
SourceOriginally from Infosys Settles Data Breach Class Action Lawsuits for $17.5MView original

Vendor Breach Settlement Exposes Contractual Governance Gap: Why Enterprise Buyers Remain Structurally Exposed

Framing: Third-Party Liability Without Third-Party Control

Infosys McCamish Systems' $17.5 million class action settlement for a November 2023 LockBit ransomware attack reveals a fundamental structural weakness in how enterprises manage vendor risk: organizations bear full regulatory and financial liability for vendor security failures despite lacking contractual mechanisms to enforce security standards, mandate incident response timelines, or recover damages. When a single vendor breach affects 6+ million individuals across insurance and retirement sectors, the liability cascade extends to downstream enterprises, their customers, regulators, and insurers—yet vendor contracts rarely allocate accountability proportionally. This settlement signals that vendor security governance has evolved from operational concern to board-level liability exposure, and existing contractual frameworks are inadequate.

The Liability Cascade: Vendor Negligence, Enterprise Exposure

The Infosys McCamish Systems breach illustrates a critical governance asymmetry. The vendor—a subsidiary providing life insurance and retirement software to U.S. enterprises—failed to implement adequate cybersecurity measures, resulting in unauthorized access between October 29 and November 2, 2023. Attackers exfiltrated Social Security Numbers, medical treatment information, financial account data, passport numbers, and military IDs affecting 6.08 million individuals. Yet the financial and reputational consequences fell disproportionately on downstream enterprises: insurance carriers, retirement plan administrators, and their customers faced notification obligations, regulatory inquiries, and remediation costs. The vendor negotiated a settlement representing a fraction of annual revenue from affected customers, while enterprises absorbed the full cost of vendor negligence.

This structural imbalance reflects a persistent contractual weakness. Most vendor agreements lack enforceable security standards tied to regulatory frameworks, do not mandate breach notification within 24 hours, do not grant enterprises unilateral audit rights, and do not allocate liability proportionally to risk exposure. When Infosys McCamish Systems eventually notified affected parties, plaintiffs alleged the company failed to disclose incident details, exploited vulnerabilities, or remedial measures—information essential for downstream enterprises to assess their own regulatory exposure and customer notification obligations. Without contractual enforcement mechanisms, enterprises cannot compel vendors to meet these disclosure standards.

Regulatory Accountability Flows Downstream, Not Upstream

From a regulatory perspective, the breach triggered multi-jurisdictional notification cascades across U.S. state attorneys general and triggered potential GDPR and NIS2 exposure for any EU-connected data processing. Critically, regulators increasingly view vendor security failures as enterprise accountability failures. Insurance regulators, retirement plan overseers, and state attorneys general hold the enterprise—not the vendor—accountable for timely notification, breach investigation transparency, and customer remediation. The settlement demonstrates that regulatory liability for vendor breaches flows downstream to enterprises, not upstream to vendors. Enterprises cannot delegate accountability; they can only attempt to contractually shift risk, and most current agreements fail to do so.

The governance implication is direct: NIS2 and DORA frameworks now explicitly require enterprises to assess and monitor third-party security posture as part of enterprise risk management. A vendor breach is no longer a vendor problem—it is an enterprise governance failure. Regulators will scrutinize whether the enterprise conducted adequate vendor due diligence, enforced contractual security standards, required cyber insurance with named additional insured status, and obtained timely breach notification. The Infosys settlement occurred without admission of liability by the vendor, yet enterprises and their customers bore the full cost of notification, credit monitoring, and regulatory response.

Contractual Governance Framework: What Must Change

Vendor contracts must now include specific, measurable security standards aligned with regulatory frameworks, not generic "reasonable security" language. Contracts should mandate: (1) breach notification within 24 hours of discovery, with written incident details including attack vector, data categories affected, and remedial measures; (2) unilateral audit rights allowing enterprises to conduct annual security assessments or engage third-party auditors; (3) cyber insurance requirements with minimum coverage limits and named additional insured status for the enterprise; (4) post-breach cooperation obligations including forensic investigation participation and regulatory filing support; (5) liability caps reflecting actual risk exposure (not capped at annual contract value); and (6) termination rights triggered by material security failures or failure to remediate within defined timelines.

For vendors handling sensitive personal data in regulated sectors—insurance, retirement, healthcare, financial services—these contractual mechanisms are no longer optional. They are accountability requirements. The Infosys settlement signals that regulators and courts will evaluate whether enterprises enforced adequate contractual security standards. Enterprises that rely on generic vendor agreements without enforceable security provisions face regulatory sanctions, customer notification costs, and reputational damage despite having no direct control over vendor infrastructure. This is a governance failure, not a technology failure.

Cybersol Editorial Perspective: The Persistent Contractual Weakness

The Infosys settlement is not an outlier; it reflects a systemic governance gap that persists across enterprise vendor management. Most organizations conduct vendor security assessments during onboarding but fail to enforce contractual accountability mechanisms post-signature. Vendor contracts are often drafted by procurement teams focused on cost and service levels, not by legal or governance teams focused on liability allocation and breach response. When breaches occur, enterprises discover that their contracts lack audit rights, breach notification timelines, or liability provisions—leaving them unable to compel vendor cooperation or recover damages.

What organizations consistently overlook: vendor risk is not mitigated by vendor security assessments alone. Risk is mitigated by contractual enforcement mechanisms that create financial and operational consequences for vendor security failures. A vendor that faces potential contract termination, liability exposure, and audit requirements has stronger incentives to invest in security than a vendor whose contract contains no enforcement mechanisms. The Infosys settlement demonstrates that enterprises cannot rely on vendor goodwill or regulatory pressure to enforce security standards—they must embed accountability into contracts.

The risk layer deserving more attention: post-breach vendor cooperation. When a breach occurs, enterprises need rapid access to forensic findings, attack timelines, and remedial measures to fulfill their own regulatory notification obligations. Yet most vendor contracts do not require vendors to cooperate with post-breach investigations or provide findings within defined timelines. Infosys McCamish Systems' delayed and incomplete breach notifications exemplify this gap. Enterprises should audit existing vendor agreements for post-breach cooperation obligations and revise contracts to mandate forensic investigation participation, findings disclosure within 72 hours, and regulatory filing support.

Conclusion

The Infosys McCamish Systems settlement crystallizes a structural governance implication: vendor security failures are enterprise accountability failures, and existing contractual frameworks are inadequate to manage that accountability. Enterprises should conduct immediate audits of critical vendor agreements—particularly those handling personal data in regulated sectors—and identify gaps in breach notification timelines, security audit rights, cyber insurance requirements, and liability allocation. For new vendor relationships, security governance should be embedded into contracts from signature, not treated as an operational concern. Regulators increasingly view vendor risk management as a core governance responsibility, and the Infosys settlement signals that courts will evaluate whether enterprises enforced adequate contractual accountability mechanisms. This is not optional vendor management; it is board-level liability exposure.

For full context and details on the settlement terms and breach timeline, review the original Bank Information Security article.

Source: Bank Information Security, "Infosys Settles Data Breach Class Action Lawsuits for $17.5M," by Jayant Chakravarti, March 17, 2025

URL: https://www.bankinfosecurity.com/infosys-settles-data-breach-class-action-lawsuits-for-175m-a-27746

← Back to Blog