Liability for a cyber breach is a complex legal issue that typically falls on the organization that collected or processed the compromised data. Under modern frameworks like the GDPR in Europe or the CCPA in California, a company is held responsible if it failed to implement "appropriate and proportionate" technical and organizational security measures. Even if the breach was caused by a malicious third-party hacker, the organization can be liable for negligence if they had unpatched vulnerabilities or inadequate encryption. In some jurisdictions, individual executives and board members can also face personal liability if they are found to have demonstrated a "reckless disregard" for cybersecurity oversight. Additionally, third-party vendors (like cloud service providers) can be held liable through "indemnity clauses" in their contracts if the breach originated in their specific infrastructure. For the victims, recourse often involves class-action lawsuits seeking compensation for financial losses or identity theft protection, though companies often argue that "terms of service" disclaimers limit their financial exposure to actual, proven damages.