Data breaches have become increasingly common in recent years. As more and more of our personal and financial information is stored online, the risk of that data falling into the wrong hands continues to grow. If you’ve been the victim of a data breach, you may be wondering if you can take legal action against the company or organization responsible. Here’s what you need to know about suing over a data breach.
What constitutes a data breach?
A data breach occurs when sensitive, confidential, or otherwise protected data is accessed without authorization. This can happen through hacking, malware, physical theft of devices containing data, accidental exposure on the internet, or even insider theft. Some common types of personal data exposed in breaches include:
- Names
- Email addresses
- Phone numbers
- Social Security numbers
- Driver’s license numbers
- Credit card or financial account numbers
- Medical records
- Health insurance information
- Login credentials and passwords
For a data breach to have occurred, the accessed data must have been secured and protected from unauthorized access in the first place. Truly public data that was never meant to be kept private cannot be considered “breached.”
What are the potential damages from a data breach?
Data breaches can result in significant damages, depending on the type and extent of data exposed. Potential consequences include:
- Identity theft – Hackers can use personal data like SSNs, dates of birth, etc. to open fraudulent accounts and commit other identity crimes.
- Medical/health insurance fraud – Medical records and insurance info in the wrong hands can enable costly fraudulent medical claims.
- Financial fraud – Breached financial account numbers, bank account details, etc. can facilitate various types of financial fraud and theft.
- Reputational damage – The publication of sensitive personal information can harm reputations and cause public embarrassment.
Beyond direct losses, victims of data breaches often endure significant stress, anxiety, loss of privacy, and time spent resolving fraud issues.
Do data breach victims have the right to sue?
In many cases, yes – data breach victims can sue the responsible parties for damages. Specific legal rights and ability to sue depend on how and where the breach occurred.
Breach of contract
If you paid a company for goods or services, you likely had a consumer contract with them. This contract may have included explicit or implicit promises to protect your personal data as part of the transaction. If the company then failed to sufficiently protect your data from breach, you may have a claim for breach of contract.
Negligence
Companies and organizations have a general duty of care to handle your personal information responsibly, just as they must maintain their physical premises reasonably safely. If lax security or other negligent actions directly enabled a breach that harmed you, the company may be liable for negligence.
State data breach notification laws
Many U.S. states have passed data breach notification laws, which require companies to notify affected individuals of a breach within a certain timeframe – often 30-60 days. Provisions for civil penalties and private rights of action are sometimes attached to these notification laws, allowing individuals to sue if they are harmed by an untimely or insufficient breach notice.
State data security laws
A growing number of states have also enacted more general data security statutes that impose data protection requirements on companies operating in the state. Violating these statutes through negligent security practices that contribute to breaches may support lawsuits by harmed consumers.
Federal statutes
Current federal laws provide limited opportunities for individuals to sue companies directly over data breaches. However, specific sectors like healthcare and finance have tailored federal statutes that may apply in data breach situations:
- HIPAA – Provides privacy rights regarding medical records and personal health data.
- GLBA – Governs protection of financial account information.
- FCRA – Covers rights regarding credit reports and personal consumer data from credit reporting agencies.
Violating these federal laws can potentially form the basis of a civil lawsuit following a data breach.
What are the legal hurdles to winning a data breach lawsuit?
While data breach victims often theoretically have legal grounds to sue, succeeding with these claims in court can be challenging. Some key obstacles include:
- Proving concrete injury/harm – Courts require plaintiffs to prove they suffered real financial losses or other harms directly due to the breach. Speculative fears about potential identity theft are usually not sufficient.
- Proving causation – It must be shown that the defendant’s specific actions or inactions caused the breach in a direct and traceable way.
- Proving negligence – Plaintiffs need to show the defendant failed to exercise reasonable care in protecting data, relative to industry standards.
- Navigating complex cybersecurity concepts – Judges and juries often lack technical expertise to evaluate the soundness of security measures.
Consumer class actions related to data breaches are on the rise, but still face an uphill battle in many courts. Victims are much more likely to recover something if they can participate in class actions rather than suing individually.
What damages or remedies are available in data breach lawsuits?
Successful data breach lawsuits may yield different types of payouts or remedies, including:
- Actual proven financial losses – This includes documented losses due to fraud as well as costs like credit monitoring services and lost time/wages spent resolving issues.
- Emotional distress damages – In some cases, compensation for mental anguish related to privacy invasion or data misuse may be awarded.
- Punitive damages – If negligence or especially egregious privacy violations are proven, punitive damages meant to punish and deter the defendant may be granted.
- Injunctive relief – Courts can order companies to improve security practices and comply with applicable data protection laws going forward.
Settlements and jury awards in the hundreds of thousands or even millions of dollars are not unheard of in major data breach cases. However, recovering anything substantial as an individual plaintiff remains difficult.
Recent noteworthy data breach lawsuits
Some major recent data breach lawsuits include:
- Anthem Breach – Health insurer Anthem suffered a huge breach in 2015 impacting nearly 79 million people. A $115 million settlement was reached in 2020.
- Equifax Breach – The massive 2017 Equifax breach exposed social security and driver’s license data on 147 million people. A $700 million settlement fund was established in 2019.
- Facebook Breach – A 2018 Facebook breach affected 30 million user accounts. Facebook agreed to boost security spending by $100 million to settle a lawsuit.
- Capital One Breach – Hacker Paige Thompson accessed 100+ million Capital One customer records in 2019. Capital One settled a class action lawsuit for $190 million.
While these large settlements may seem like wins, they often only amount to a few dollars per victim after being divided among millions of class members. But the lawsuits have brought publicity to egregious security failures, pressuring companies to take breaches more seriously.
Should you consider suing after a data breach?
Deciding whether to pursue legal action after a data breach depends on your specific situation. Considerations include:
- How sensitive was the breached data? Were just emails exposed, or very personal info?
- What quantifiable losses have you suffered due to fraud or misuse of the data?
- How severe were the company’s security failures? Did they ignore warnings?
- Does your state have strong data protection and breach notice laws?
- Were many other people impacted? Is a class action possible?
A lawyer experienced with data breach litigation can assess whether you may have a viable case worth pursuing. For substantial breaches impacting many people, joining a class action lawsuit is often the most realistic way to recover anything.
How can data breach victims seek compensation?
If you decide to pursue compensation for a data breach, first collect documentation of all losses and damages you’ve suffered. Be specific. Then you can seek damages by:
- Filing a small claims court suit (for relatively minor breaches)
- Working with an attorney to file an individual lawsuit
- Joining a class action lawsuit, if available
- Making a formal complaint to the FTC or your state attorney general
- Contacting the company responsible for the breach directly to request compensation
Having an attorney increases the chances of successfully proving your case and recovering meaningful compensation. Class actions tend to be the most viable option in large breaches.
How can consumers protect themselves following a data breach?
Whether or not you pursue legal action, important steps to take right after a breach include:
- Changing any compromised passwords for the breached account/website
- Placing a credit freeze on your credit reports to block fraudsters from opening new accounts
- Closely monitoring bank and credit card statements for suspicious activity
- Being alert to any contacts or inquiries from identity thieves impersonating legitimate companies
- Considering identity theft protection services that provide credit monitoring
Additionally, consumers should take password security more seriously in general by using unique complex passwords, enabling two-factor authentication when available, and avoiding unsecure WiFi connections for sensitive logins.
Conclusion
Data breaches can have severe consequences for victims, but holding companies accountable through lawsuits has proven challenging. While legal options exist on paper, the technical complexities surrounding breaches make proving negligence and causation difficult. For now, impacted individuals have the best chance of compensation if they can participate in class action lawsuits. But public breach disclosure laws and successful lawsuits are slowly pressuring companies to invest more seriously in data security, which could prevent future breaches from occurring in the first place.