Responding To The SitusAMC Data Breach

Recently, major media reported that a key financial services provider, SitusAMC, suffered a substantial data security incident. This Alert summarizes what we know so far, the possible legal implications, and some action items for the corporate clients of SitusAMC.

Breach Announcement

On November 22, 2025, SitusAMC posted a statement indicating that a November 12 data security incident had impacted (i) corporate data tied to some of its clients' relationships and (ii) "certain data relating to some of our clients' customers may also have been impacted." Although it assured clients that services remain operational, the scope, nature, and extent of the incident remain under investigation. SitusAMC processes commercial real estate applications that would normally include detailed financial information about tenants including Social Security numbers.

Potential Legal Implications for Corporate Clients after a Vendor Breach

Vendor data breaches (also called third-party breaches) can pose myriad legal implications for clients from the obligation to provide notice to the defense of regulatory oversight investigation and class-action litigation, not to mention end-client impact and reputational damage.

In the U.S., all 50 states (and four territories) have data breach notification laws with varying requirements, but generally the entity that owns the data (called "the controller") must notify affected natural persons after unauthorized access to certain "personal information" (which includes SSNs). Vendors must notify the controller, often "immediately," but then the obligation to provide the notices to the data subjects shifts to the controller. Most industrialized countries have similar requirements, including perhaps most prominently under the EU/UK GDPR.In practice, the vendor will normally provide notice to the impacted natural persons on behalf of the controller, but the legal obligations stay with the controller, and some controllers will want to control the form and content of the notice, and any required credit monitoring offers.

The controller also needs to ensure notice to the appropriate regulators. For almost all U.S. companies, this would include state attorneys general in the states where the data subjects reside, subject to an unfortunately complex set of thresholds and exceptions.

Beyond state attorney general notification, controllers must also notify sector-specific regulators, subject to certain exceptions and exclusions, such as for when no harm is reasonably possible. In the financial sector, OCC/FDIC/FRB rules require banks to notify their primary federal regulator as soon as possible and no later than 36 hours after determining that a "notification incident" occurred. Entities subject to state insurance and banking laws (such as those that are regulated by the New York Department of Financial Services) must also provide notice within 72 hours for certain "cybersecurity events." Non-bank financial institutions (including private funds) that are subject to the GLBA/FTC Safeguards Rule must provide notice to the FTC within 30 days of discovery. Coming soon, new SEC Reg S-P regulations will require notice to the SEC within 30 days, and new provisions for 72-hour critical infrastructure notifications to CISA were due to be finalized in October 2025 but have been delayed until May 2026.

Public companies must also disclose the incident on Form 8‑K (Item 1.05) within four business days of determining that they have suffered an incident material to them (not the vendor).Companies with customers outside the United States also need to consider notices to the data protection authorities present in most industrialized countries, including the EU/UK requirements under the GDPR for notice to the supervisory data protection authority within 72 hours of becoming aware of a breach of personal data.

Media inquiries, regulatory investigation, class action litigation, and even congressional investigations and shareholder suits can follow for large, severe or well-publicized breaches.

Immediate Legal Action Items for Corporate Clients after a Vendor Breach

Although corporate clients can sometimes be at the mercy of the vendor until they investigate results and issue further statements, lawyers at corporate clients can prepare for the impact of the incident by taking several actions promptly, including:

1. Assembling relevant stakeholders to
   1. understand the commercial importance of the vendor;
   2. get briefed on any issues in the relationship; and
   3. ensure consistent response and good information flow as the scope of the incident becomes clear.
2. Finding and analyzing the relevant terms of their contract with the vendor. In particular, assessing
   1. whether you can rely on the vendor to provide data notices;
   2. whether you can control the investigation or at least get a copy of the forensic report;
   3. whether the vendor will indemnify them;
   4. limitations on the vendor's liability limitations; and
   5. data transfer and termination options in the contract.
3. Understanding the data sent and received from the vendor including
   1. operational impacts from the loss or compromise of the data;
   2. whether the data includes commercially sensitive data, intellectual property, or trade secrets; and
   3. whether that data are personal data which may trigger data notice law.
4. Checking relevant cyber insurance coverage.
5. Preparing for incoming stakeholder inquiries by developing communications materials to answer the questions that are likely to come from various angles.
6. Assessing what level of security diligence was done on this vendor during the contracting phase and any ongoing oversight.
7. Understanding data breach notice obligations and building a matrix based on the type of information potentially exposed and the relevant jurisdictions.
8. Deciding whether a joint defense or more adversarial posture will best serve your interests and preparing appropriate communications to ensure document preservation including log retention.
9. Assessing whether FBI or other law enforcement involvement would be useful.
10. Contacting external legal counsel when appropriate.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.