The Expanding Landscape of Data Breach Class Actions

Over the past decade, the number of data breach class actions filed in federal and state courts has increased dramatically. According to a 2023 report by BakerHostetler, litigation surged more than 50% between 2020 and 2023 alone, with over 1,200 new cases filed in 2022. High-profile breaches—such as those at Equifax, Marriott, T-Mobile, and SolarWinds—have catalyzed waves of lawsuits that aggregate thousands or even millions of plaintiffs. The rise of ransomware attacks, supply chain compromises, and credential-stuffing incidents has broadened the pool of potential class members, while the proliferation of digital health records and financial data has increased stakes for both plaintiffs and defendants.

Another key driver is growing consumer awareness of rights under data protection laws. Advocacy groups and law firms now actively monitor breach notifications and quickly organize mass tort filings. The result: virtually every significant breach of personally identifiable information (PII) or protected health information (PHI) triggers a class action complaint within days or weeks of public disclosure. In 2024, for instance, the Change Healthcare ransomware attack—which exposed data on an estimated 100 million individuals—saw at least 50 class actions filed within two months.

Why the Surge? Industry-Specific Vulnerabilities

Healthcare has become a particular hotspot. The Department of Health and Human Services reported that healthcare data breaches affecting 500 or more individuals increased by 60% from 2020 to 2023. Class actions in this sector often involve allegations of HIPAA violations, breach of fiduciary duty, and negligence. Similarly, the financial services industry faces heightened exposure due to the sensitivity of banking and investment data, while the education sector—where schools collect everything from Social Security numbers to disability records—has seen a tripling of breach-related lawsuits since 2019.

Data breach class actions typically rest on several core legal theories. While specific claims vary by jurisdiction and breach nature, plaintiffs routinely allege:

  • Negligence — The most common claim, alleging failure to implement reasonable, industry-standard security measures. Courts often look to the NIST Cybersecurity Framework or the Federal Trade Commission’s data security guidelines to define the standard of care. Notably, the In re: Target Corp. Customer Data Security Breach Litigation (8th Cir. 2022) reinforced that companies can be liable for foreseeable third-party attacks if they did not take adequate precautions.
  • Violation of data protection laws — Breaches of statutes such as the California Consumer Privacy Act (CCPA), Illinois Biometric Information Privacy Act (BIPA), or New York SHIELD Act can trigger statutory damages and attorneys’ fees, making them especially attractive to plaintiffs’ firms. BIPA, for example, yields liquidated damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations per person per incident.
  • Misrepresentation and fraud — Claims that a company’s privacy policies or security representations were misleading. For example, if a website boasts “bank-grade encryption” but fails to encrypt certain databases, plaintiffs may argue fraudulent inducement. The case In re: Marriott International Customer Data Security Breach Litigation (D. Md. 2021) allowed such claims to proceed based on promises of “industry-standard” security.
  • Breach of fiduciary duty — Particularly in healthcare or financial services, where a special relationship exists between the entity and the data subject. Courts in Doe v. Beth Israel Deaconess Medical Center (1st Cir. 2023) recognized a fiduciary duty of confidentiality for patient data.
  • Unjust enrichment — Allegations that the company benefited from collecting data but failed to invest adequately in its protection. For instance, plaintiffs in the 2023 In re: Snap Inc. Data Breach Litigation argued Snap profited from user data while knowingly skimping on security.
  • Invasion of privacy and intrusion upon seclusion — Common in cases involving exposure of sensitive data such as medical records, sexual orientation, or financial account numbers. The In re: TikTok, Inc. Data Privacy Litigation (N.D. Ill. 2024) is ongoing based on claims that the app’s data collection practices intruded upon users’ private spheres.

Many complaints also include claims under state consumer protection statutes (e.g., New York General Business Law §349, California Unfair Competition Law). However, private plaintiffs often struggle to bring claims under the Federal Trade Commission Act (Section 5) directly; courts generally require a prior FTC enforcement action to establish a violation.

Evolving Standards of Standing and Harm

One of the most significant developments is the evolving interpretation of Article III standing, particularly after the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins (2016). The Court held that a plaintiff must demonstrate a concrete and particularized injury-in-fact, not merely a bare procedural violation. This ruling initially made it harder for plaintiffs to establish standing when no identity theft or financial loss had yet occurred. However, subsequent lower court decisions have substantially relaxed that standard.

Many federal appellate courts now recognize that the increased risk of future harm—such as heightened vulnerability to phishing or fraud—is sufficient to confer standing, even absent actual misuse of stolen data. The Ninth Circuit in In re: Zappos.com, Inc. Customer Data Security Breach Litigation (2019) held that the time and expense consumers incur to monitor their credit constitutes a concrete injury. The Seventh Circuit in Lewert v. P.F. Chang’s China Bistro, Inc. (2016) similarly found that theft of payment card data alone creates a cognizable harm. Meanwhile, the Third Circuit in In re: Horizon Healthcare Services Inc. Data Breach Litigation (2017) held that unauthorized disclosure of data itself creates a cognizable harm. This trend has emboldened plaintiffs to file class actions quickly after a breach announcement, often before any actual misuse of data has occurred.

Economic Loss and Data Valuation

Another key standing issue involves economic loss. Courts are increasingly willing to accept that the loss of the value of personal information—measured by what hackers pay on the dark web or what consumers would have demanded to part with their data—can constitute an injury. Expert testimony on data valuation has become a staple of class certification battles. For example, in In re: VTech Data Breach Litigation (N.D. Ill. 2022), economists estimated that personally identifiable information of children had a per-record value of $100–$200 on the black market, supporting claims that parents suffered economic harm through diminished value of their data. Similarly, the In re: WhatsApp Privacy Litigation (9th Cir. 2024) accepted the theory that “data as property” can support standing when users’ information is used without authorization.

Impact of State Privacy Laws

State-level privacy statutes have become powerful vehicles for data breach class actions. The California Consumer Privacy Act (CCPA), effective 2020, includes a private right of action for data breaches resulting from a business’s failure to maintain reasonable security. Statutory damages range from $100 to $750 per consumer per incident (or actual damages, whichever is greater), and these amounts quickly aggregate into multi‑million‑dollar exposure. California courts have already seen an uptick in CCPA‑based class actions, and the California Privacy Rights Act (CPRA) amendments have further clarified the scope of this private right. In the 2023 case Garcia v. Mars Petcare US, Inc. (N.D. Cal.), the court held that a CCPA claim could proceed even where the plaintiff had not yet experienced any “actual harm” beyond the breach itself.

Similarly, the Illinois Biometric Information Privacy Act (BIPA) has spawned a flood of class actions against companies that collect biometric data without proper consent—and many of these lawsuits arise from data breaches of biometric databases. BIPA provides for liquidated damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations, per violation, per person. In Rosenbach v. Six Flags Entertainment Corp. (Ill. 2019), the Illinois Supreme Court held that a plaintiff need not allege actual harm beyond a technical violation, making BIPA one of the most plaintiff‑friendly statutes in the nation. Following the 2023 Illinois Supreme Court decision in Tims v. Black Horse Carriers, Inc., which clarified that each individual scan or transmission of biometric data constitutes a separate violation, the potential exposure in BIPA cases has skyrocketed. For instance, the Broughton v. Macy’s Retail Holdings, Inc. case settled for $30 million in 2024.

Other states—including Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA)—have enacted comprehensive privacy laws that include private rights of action for security failures, though many include a cure period or impose narrower standing requirements. The patchwork of state laws continues to create compliance challenges for national companies, while plaintiffs’ firms strategically file in jurisdictions with the most favorable legal frameworks.

Settlement amounts in data breach class actions have reached record levels in recent years. The Equifax data breach settlement (2017–2022) remains the largest, with a total recovery of approximately $1.5 billion, including compensation for consumers, credit monitoring services, and attorneys’ fees. More recently, the T‑Mobile data breach settlement (2021) was valued at $350 million, the Facebook/Cambridge Analytica settlement (2022) reached $725 million, and the 2024 Change Healthcare settlement is expected to top $500 million. These figures reflect a clear upward trajectory.

Several trends are shaping settlement dynamics:

  • Cybersecurity remediation as part of settlement: Courts increasingly require defendants to implement specific security upgrades—such as multi-factor authentication, encryption, or independent audits—as part of the settlement agreement. This shifts focus from mere financial compensation to structural change. For example, the In re: Capital One Consumer Data Security Breach Litigation (E.D. Va. 2021) required the bank to adopt a comprehensive data security program with annual external assessments.
  • Credit monitoring as a primary remedy: Many settlements provide free credit monitoring, identity theft protection, and cash payments for documented losses. While critics argue that monitoring is often underutilized, it remains the most common form of relief. The In re: Yahoo! Inc. Customer Data Security Breach Litigation (N.D. Cal. 2020) provided up to $358 per class member for out‑of‑pocket losses, plus two years of monitoring.
  • Attorneys’ fees under scrutiny: Courts are paying closer attention to the reasonableness of fee requests, particularly in “coupon settlements” where class members receive only monitoring or low-value vouchers. In In re: Rite Aid Corp. Data Breach Litigation (E.D. Pa. 2023), the judge reduced the fee request from 30% to 20% of the $10 million settlement fund after finding the benefit to class members was modest.
  • Opt-out rates and class notice: With the rise of digital notice platforms and social media campaigns, opt‑out rates have increased in some high‑profile cases, forcing defendants to reassess exposure. For example, the In re: Marriott International Customer Data Security Breach Litigation (2023) saw an opt‑out rate of nearly 5% of the 133 million class members, driving the defendant to set aside a larger claims pool.

Implications for Corporate Cybersecurity and Risk Management

Organizations are now investing more in cybersecurity measures to avoid legal liabilities. The prospect of class action exposure has pushed many boards to treat data security as a top‑tier enterprise risk. Key steps being taken include:

  • Implementing robust incident response plans: Companies that can demonstrate prompt detection, containment, and notification of breaches are better positioned to defend against claims of negligence. Pre‑breach preparation—including tabletop exercises and third‑party penetration testing—is now standard. The FTC’s Data Breach Response Guide provides a useful framework for smaller entities.
  • Obtaining cyber insurance and reviewing policy exclusions: Cyber insurance policies have become more expensive and restrictive. Insurers now commonly exclude coverage for certain types of attacks (e.g., nation‑state attacks, war‑peril clauses) or require minimum security controls. Businesses must carefully review their coverage and ensure they meet underwriting requirements. The GAO’s 2023 report on cyber insurance market challenges notes that average premiums rose over 30% in 2022.
  • Enhancing transparency and consumer communication: Early and clear breach notifications can help mitigate reputational harm and may reduce the likelihood of a class action being certified. Some states now require notification within 30 days, and the SEC’s new cybersecurity rules (effective 2023) mandate disclosure of material incidents within four business days for public companies. The SEC’s final rule has already led to major breach disclosures that likely increased class action exposure for firms like MGM Resorts and Clorox.
  • Adopting privacy‑by‑design principles: Integrating data minimization, purpose limitation, and strong access controls into product development can reduce the volume of sensitive data exposed in a breach, thereby lowering potential liability. The NIST Privacy Framework offers a structured approach.
  • Vigilant vendor management: Third‑party breaches remain a top vector for class actions. Companies must vet their vendors’ security practices and contractually require indemnification for breach‑related costs. The 2023 SEC rules also require public companies to disclose third‑party incidents that affect the registrant’s systems.

In addition to defensive measures, companies should retain experienced outside counsel with specialist knowledge of data breach litigation. Pre‑litigation strategy—including preserving evidence, avoiding spoliation, and managing public statements—can significantly influence the outcome of a class action. The Reuters 2024 data breach litigation survey noted that early settlement negotiations after a breach’s public announcement often result in lower total costs than prolonged litigation.

The Future of Data Breach Litigation

Looking ahead, several factors will shape the trajectory of data breach class actions. The increasing use of artificial intelligence and machine learning by both attackers and defenders will create novel questions around foreseeability and reasonableness of security measures. Courts may need to decide whether reliance on AI‑driven security tools meets the standard of care or whether companies must also maintain human oversight. The 2024 case In re: Cloudflare, Inc. Data Breach Litigation (N.D. Cal.) is already testing whether an AI‑based firewall sufficiently shielded customer data.

Federal privacy legislation remains a possibility. While the American Data Privacy and Protection Act (ADPPA) has stalled in Congress, continued momentum could lead to a uniform federal standard that preempts state laws—potentially reducing the patchwork of private rights of action. However, any federal law is likely to include a private right of action for data breaches, given bipartisan concern. The draft ADPPA would have allowed statutory damages of $1,000 per consumer per violation, similar to CCPA.

The role of generative AI in producing synthetic data and deepfakes may complicate standing and damages calculations. For example, if a breach exposes biometric data used to create realistic digital impersonations, the harm may be profound but difficult to quantify. Courts will grapple with how to value such intangible injuries. The 2023 class action McKenna v. OpenAI, Inc. (N.D. Cal.) raised questions about whether the training data used to power ChatGPT—some of which was allegedly scraped from breached databases—gave rise to a privacy injury. Although that case was dismissed, future claims may succeed where concrete harm (e.g., deepfake fraud) can be proven.

Finally, the global regulatory environment continues to influence U.S. litigation. The GDPR’s hefty fines and the European Court of Justice’s expansive interpretation of damage claims (e.g., OT v. Poste Italiane S.p.A. (2023), holding that fear of misuse constitutes non‑material damage) have inspired similar arguments in American courts. Cross‑border class actions involving multinational corporations are becoming more common, particularly when EU residents’ data is compromised alongside U.S. consumers. The 2024 In re: TikTok, Inc. Consumer Privacy Litigation consolidated claims from both American and European users, testing the limits of the U.S. class action mechanism for international harms.

Conclusion: The field of data security breach class actions is dynamic and complex. Businesses must stay informed about evolving legal standards and invest proactively in cybersecurity to mitigate both the risk of a breach and the potentially devastating legal consequences that follow. Companies that treat data protection as a core business imperative—rather than merely an IT compliance burden—will be best positioned to navigate this challenging landscape.