Skip to Content
Client Payment

Events In the News

An Update on Standing in Data Breach Class Actions

on Friday, 21 February 2025 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

Data breach class actions lawsuits were initially met with skepticism. Plaintiffs’ attorneys alleged damages for data breaches by claiming their clients suffered from emotional stress worrying about their financial data being stolen and possibly resulting in an identity theft or actual financial harm. Judges quickly dismissed those initial cases. As the years have passed, those initial cases are now well in the rear-view mirror, judges are now very willing to entertain these cases. The newly found willingness of the courts to entertain the possibility of a future financial harm has resulted in a swell of data breach class actions.

In fact, there has been a significant increase in data breach class actions. In 2017, the number of data breach class actions was under two hundred, but a few years later, in 2024, the number of cases filed for data breach class actions was just short of fifteen hundred. In fact, each data breach notification usually results in several class actions, particularly for large-scale breaches.

Data breach laws are unique in that companies are required by statute to disclose cybersecurity breaches that are likely to lead to events that may result in the company becoming a defendant. Many state Attorneys General publish data breach notifications on their websites. These notices make it relatively easy for Plaintiff’s attorneys to find and use these notices to file new complaints.

The surge in the number of class action cases has led to an increase in settlement demands from Plaintiffs’ attorneys. Some high-profile settlements include:

  • Meta: $1.3 Billion
  • Didi Global: $1.19 Billion
  • Amazon: $877 Million

Some of the most cited cases by plaintiffs are:

  • Savidge v. Pharm-Save, Inc., 727 F.Supp.3d 661 (2024)

The Savidge court found that former employees whose personally identifiable information (PII) was disclosed in a data breach demonstrated a sufficiently imminent risk of future harm and to have standing to sue for negligence and seek damages. The stolen information included sensitive data such as Social Security numbers, and the plaintiffs demonstrated that some of the information had already been exploited. This case has become one of the most quoted cases in plaintiffs’ brief.

  • In re LastPass Data Security Incident Litigation, 742 F.Supp.3d 109 (2024)

The court found that the plaintiffs demonstrated a clear temporal connection between the data breach and the misuse of their data.

  • In re Fortra File Transfer Software Data Security Breach Litigation, —–F.Supp.3d —- (2024)

The court provided the following quote:

“Central to assessing concreteness is whether the asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts—such as a physical harm, monetary harm, or various intangible harms[.]” TransUnion, 594 U.S. at 417, 141 S.Ct. 2190. Concrete intangible harms may include reputational harms, disclosure of private information, and intrusion on seclusion. Id. at 424, 141 S.Ct. 2190 (collecting cases). (emphasis added)

Additionally, the court noted:

Indeed, as the Eleventh Circuit recently confirmed, the posting of financial and personal information on the dark web “establishes both a present injury—credit card data and personal information floating around on the dark web—and a substantial risk of future injury—future misuse of personal information associated with the hacked credit card … that is sufficient to establish Article III standing.” Green-Cooper v. Brinker Int’l, Inc., 73 F.4th 883, 890 (11th Cir. 2023).

The court stated that evidence of data misuse is necessary to establish concrete harm. In this case, the court opined that the plaintiffs had demonstrated numerous instances of fraudulent misuse of their PII following the data breach, therefore the court upheld their standing.

The changing attitude of courts to future possible financial harm and the ease of identifying cases and potential victims will lead to a continued increase in class action suits.  Indeed, the posting of information on the dark web will provide a basis for the actual misuse or abuse of sensitive data, and will most likely lead to a court finding standing to allow the case to continue. 

Robert L. Kardell
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design