A major fintech organization is attributing responsibility for a recent data exposure to its firewall provider, seeking damages through legal action. This litigation illustrates a shift in how organizations approach accountability following security incidents, with significant implications for the relationship between technology providers and their clients.
The plaintiff, Marquis, provides marketing and compliance solutions to over 700 banks and credit unions. On August 14, an unauthorized party accessed Marquis’s IT network and client data, which included personally identifying information (PII) for customers of its financial institution clients. Reports indicate that approximately 780,000 individuals may have been affected, though this figure has not been independently verified by Triage.
Initially, the entry vector for the Marquis incident was unclear. However, on September 17, Marquis’s firewall vendor, SonicWall, disclosed a separate security incident affecting its own systems. Threat actors had accessed firewall configuration backup files belonging to SonicWall customers. These files contained data that could potentially allow unauthorized access to client environments.
SonicWall initially estimated that fewer than 5% of its customers were affected by this exposure. On October 8, the company revised its assessment, confirming that all customers who utilized the cloud backup service were impacted.
Marquis responded by filing a complaint in the US District Court for the Eastern District of Texas on February 23. The filing alleges that SonicWall’s security failures contributed to the incident at Marquis and seeks damages. This case brings a critical industry question to the forefront: how should liability be allocated when a third-party security tool is involved in a data exposure event?
Erin Jane Illman, a partner at the law firm Bradley, notes the strategic shift. "Historically, most incident-related lawsuits have flowed from consumers or regulators toward the affected company," she explains. "But this case highlights a growing shift: enterprises turning around and suing their cybersecurity vendors, managed service providers, and software suppliers for contribution, indemnification, or outright negligence. That fundamentally changes the risk calculus for the industry. Vendors are no longer just technical partners, they are potential co-defendants."
Precedents in Vendor Liability
While less common than consumer class actions, lawsuits against security vendors are not without precedent.
In 2018, a security incident at email security provider Barracuda Networks resulted in the exposure of personal health information (PHI) belonging to Zoll Services, a Barracuda client. Zoll filed suit against Barracuda, but the US District Court for the District of Massachusetts ruled in favor of the vendor. In November 2025, Zoll’s appeal was rejected.
Other cases have explored similar legal theories. In 2014, several financial institutions pursued litigation against Target following its point-of-sale data exposure, while also naming Trustwave—Target's security assessor, as a defendant. Those claims were ultimately withdrawn or dismissed.
Jackson Stephens, senior cybersecurity counsel for Galactic Advisors, observes that the 2023 MoveIT file transfer incident also generated significant litigation. "That incident resulted in dozens of lawsuits, many of which are still pending in court," Stephens says. He suggests that legal actions against managed service providers (MSPs) and security vendors are becoming more frequent.
Regarding the Marquis and SonicWall dispute, Stephens anticipates a settlement rather than a trial. "I suspect that the contract requires arbitration or mediation, and like most suits, ending in an undisclosed settlement," he notes. However, he warns that vendors like SonicWall face broader risks. If business customers experience data leaks, they may face class action lawsuits from affected individuals, prompting those businesses to seek indemnification from the vendor. Additionally, regulatory enforcement actions remain a possibility.
Defining "Reasonable Cybersecurity" for Providers
The outcome of these disputes often hinges on legal definitions of negligence. Illman suggests that the Marquis case could influence future litigation strategies. "This environment creates strategic incentives for executives," she explains. "Faced with shareholder suits or regulatory scrutiny after an incident, leadership may be more inclined to shift blame downstream — arguing that a vendor's tool failed, a patch was defective, or a managed service provider missed indicators of compromise."
Illman clarifies that this strategy does not eliminate executive responsibility, "but it does open a new front of cross-claims and indemnity fights behind the scenes."
Legal teams are currently testing various theories to establish liability, including misrepresentation, failure to warn, and negligent design. "Courts may begin to scrutinize how 'reasonable cybersecurity' is defined for a professional security provider," says Illman. "When a company sells security as its core product, the standard of care it's held to could be materially higher than that of an ordinary enterprise IT department."
Strengthening Vendor Relationships and Contracts
Beyond litigation, this case emphasizes the importance of vendor selection and contract governance. Organizations retain the authority to define the terms of their partnerships.
"It's not uncommon for companies to engage vendors without doing appropriate due diligence to assess the cybersecurity of their vendors," says Joseph Lazzarotti, an attorney with JacksonLewis. He notes that service level agreements (SLAs) frequently fail to account for scenarios where the vendor itself is the source of a security issue.
If organizations do not apply rigor to their vendor selection process, they may face their own liability challenges. Lazzarotti warns that careless hiring could result in claims that the company was negligent in selecting or monitoring its vendor, thereby increasing its exposure regarding the safety of consumer data.
Neither Marquis nor SonicWall responded to requests for comment regarding the ongoing litigation.