⬇️
Fried Frank Faces Class Action After Goldman-Linked Data Breach
Key Takeaways
- Fried Frank is accused of failing to safeguard personal data tied to a Goldman Sachs private equity fund.
- Plaintiff Andrew Sacks claims he learned of the breach from Goldman, not the law firm holding his information.
- The suit seeks damages and at least 10 years of credit monitoring for affected individuals.
International law firm Fried, Frank, Harris, Shriver & Jacobson LLP is facing a class action lawsuit that highlights a quiet worry among business and technology leaders: the security posture of their downstream service providers. The complaint, filed in the Southern District of New York, alleges the firm failed to protect sensitive information tied to investors in a Goldman Sachs alternatives fund. That is a familiar tension point for risk teams, especially when outside counsel hold substantial amounts of regulated or identity-linked data.
The suit stems from a security incident Fried Frank confirmed internally but hasn’t publicly detailed beyond a brief statement. According to the complaint, Goldman Sachs Asset Management had entrusted the firm with investor information connected to the Petershill Private Equity Seeding II Offshore Fund. That included home addresses, Social Security numbers, and banking details—precisely the categories that make CISOs wince because they invite not just immediate harm but long-tail identity fraud.
Goldman notified investors in a Dec. 19 letter that some of their data may have been exposed. The letter, later included in the complaint, noted the bank was coordinating with Fried Frank to determine the scope of the incident and would issue client-specific notifications as the situation became clearer. It’s a small detail, but it tells you a lot about how the incident is unfolding: the data owner is taking the communications lead, even though the breach occurred in a vendor environment.
Fried Frank said it moved quickly to contain the intrusion, bringing in external data security experts and contacting law enforcement. The firm described its operations as having continued “without disruption.” Language like that is usually designed to reassure clients that the impact was contained, though it doesn’t offer much insight into what actually happened inside the environment. While law firms generally avoid revealing technical details for confidentiality reasons, the lack of specificity often prompts difficult questions from corporate security teams.
Plaintiff Andrew Sacks alleges he was never notified by Fried Frank that his information had been compromised. Learning about the incident from Goldman instead left him “especially alarmed,” according to the complaint. It’s a reaction many enterprise buyers will recognize. When a vendor suffers a breach and you don’t hear directly from them, the relationship takes a hit, even if the technical exposure is limited.
For businesses, that raises an uncomfortable question: how do you enforce consistent disclosure practices across vendors that operate under different regulatory regimes and risk appetites? Some clients try to handle this through contractual notification windows, but enforcement is difficult when the facts of a breach remain murky in the early days. And yet, the expectations around transparency keep rising.
The case also points to a broader operational tension in the legal industry. Firms like Fried Frank routinely handle confidential data for major financial institutions. They sit inside highly interconnected ecosystems, with permissions and access patterns that can be sprawling compared to other types of suppliers. That is where it gets tricky. Many law firms have modernized their security posture significantly, but the sheer volume of sensitive data flowing through their document repositories, deal rooms, and email archives makes them appealing targets. It isn’t a new dynamic, but each breach draws more scrutiny to how outside counsel governs retention, segmentation, and encryption.
In Sacks’ view, he wouldn’t have shared his personal information with Goldman had he known Fried Frank’s systems were vulnerable. His argument rests partly on trust—something legal service providers cannot afford to lose. The complaint alleges negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. It also argues victims may face “multiple years of ongoing identity theft,” a common claim in breach litigation because Social Security numbers and banking information can circulate for years across criminal marketplaces. Research from independent cybersecurity organizations like the Identity Theft Resource Center supports the idea that personal identifiers often remain valuable long after an initial compromise.
Goldman, meanwhile, has been clear that its own systems were not affected. A bank spokesperson repeated that point, emphasizing that Goldman continues to safeguard client data. That line may sound standard, but it highlights an important operational boundary: even when a breach happens outside a financial institution’s infrastructure, the reputational pressure flows upstream.
Sacks, represented by DannLaw, seeks to represent everyone whose information was compromised and who was notified on or after Dec. 19. He is asking the court to require Fried Frank to fund at least 10 years of credit monitoring. For enterprise teams reading this, the request is a reminder that breach-related costs can extend far beyond technical remediation or forensics. Credit monitoring, call center staffing, notification mailings, and potential class-wide damages often exceed early estimates. There is a reason breach response is a line item CFOs track closely.
The case, Sacks v. Fried, Frank, Harris, Shriver & Jacobson LLP (No. 1:25-cv-10693), lands at an awkward moment for professional services firms increasingly tasked with protecting sensitive data on behalf of clients in finance, private equity, and healthcare. Cyber insurance carriers have tightened underwriting, regulators are watching vendor risk with more urgency, and clients are writing tougher data-handling terms into their master service agreements. None of that guarantees a reduction in incidents, of course, but it does change the expectations around how firms respond when something goes wrong.
Still, the early facts point to a scenario many organizations have experienced: rapid containment, external experts, and law enforcement involvement, all happening while the investigation is still evolving. The next phase will likely hinge on what Fried Frank and Goldman determine about which records were accessed and for how long—details that tend to shape both legal exposure and business fallout.
Even so, the core issue remains straightforward. When a law firm becomes a custodian of investor data, its security performance becomes part of a client's own risk posture. That is not news, but this case puts the dynamic into sharper relief for any company relying on outside counsel to hold personally identifiable information at scale.
