He cannot return the data per se, so there is a difference. Once it leaves Apple's servers it could be less secure and he's not registered as a data controller I'm sure.
In your example above, why could the person not just point out that the money was not safe? It's no loss to them if the person does not act on the information.
In your example above, why could the person not just point out that the money was not safe? It's no loss to them if the person does not act on the information.