There is a great deal of misunderstanding concerning data security breach-related class actions.  In large part the media and the legal media have exaggerated the quantity (and success) of class action litigation.

The following provides an overview of the risks associated with lawsuits following data security breaches.1


The total number of data security breach related class actions filed in federal court in a year.2


The number of unique defendants that were sued (after multiple pile-on suits were removed).3


Percentage of publicly reported data breaches that led to a class action filing.4


The number of different legal theories used by plaintiffs in their attempt to find a theory of recovery.5


The percentage of class action laws suits that were premised, at least in part, on a negligence theory.6


The percentage of data breach related class action litigation that involved the exposure of a sensitive category of information.7


The following are some of the factors that you should look at when considering the likelihood of receiving a class action complaint following a data breach:

  1. Has the media widely reported on your data breach?
  2. If so, did the media report your data breach before, or after, the company notified impacted consumers?
  3. Was the quantity of records lost lower, or greater, than the average number of records involved in recent class action lawsuits?
  4. Did consumers suffer any direct monetary harm?
  5. Could the data fields involved lead to identity theft?
  6. Has there been any evidence of actual identity theft?
  7. Did you offer credit monitoring, identity theft insurance, and/or credit repair services?
  8. If so, what percentage of impacted consumers availed themselves of your offer?
  9. Has the jurisdiction in which you are most likely to receive a lawsuit (e.g., where you are incorporated or primarily operate your business) permitted other data security class action complaints to proceed past the pleadings stage?
  10. Is a plaintiff’s firm looking at government records for information relating to your organization’s data security practices? For example, have they submitted requests to the FTC under the Freedom of Information Act?

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.