Can You Sue a Company for a Data Breach?

When you give sensitive data to a company, you expect it to adequately secure that information. Unfortunately, companies are sometimes negligent in security practices. Data breaches can lead to long-term, frustrating attempts to fight identity theft, false purchases in your name, destruction of your credit, and other harm.

Home • What is a Data Breach • Can You Sue a Company for a Data Breach?

Last Modified date: February 11, 2025

Discovering that your personal information was compromised is unnerving. It can leave you anxiously wondering who has your information and how they will use it, but you don’t have to face the situation alone. You can sue a company for a data breach to hold it accountable and seek compensation for any damages.

When Can You Sue a Company for a Data Breach?

Each state and the District of Columbia have data breach laws with different definitions of sensitive data. Theft of your name and address may not constitute a breach for which you can file a claim. However, theft of your Social Security number, credit card numbers, or other sensitive information usually is.

Circumstances under which you can usually sue include:

When a data controller or processor fails to protect your personal information as dictated by law.
The personal data breach resulted in psychological distress, financial loss, or both, or you spent significant time addressing it to protect yourself.

Where you file depends on the circumstances. Some class actions remain in state court. However, based on the Class Action Fairness Act, federal courts can often claim jurisdiction at the defendant’s request.

Federal laws pertain to specific holders of personal information, such as financial institutions or companies that hold medical data. These data breach cases also go to federal court.

Who Can File a Lawsuit for a Data Breach?

Individuals, companies, and organizations directly affected by a data breach can file a lawsuit, but only if there is harm. Talk to an experienced data breach lawyer before deciding whether a data breach harmed you. Courts have broadly interpreted what is considered harm in a data breach claim. The potential of future harm may be enough, especially if you’ve had to take steps to protect yourself.

An accomplished data breach lawyer can help you navigate complex legal issues around your standing to sue and advise you whether to start or join an existing class action lawsuit or file an individual claim.

How Long Do You Have To Sue for a Data Breach?

The statute of limitations for a data breach claims depends on your jurisdiction. Some states don’t have a time limitation written into data breach laws. Instead, the statute of limitations may fall under an “all other actions” clause or a specific claim your attorney forwards, such as a breach of contract.

In most federal data breach class actions, judges rely on your state’s statute of limitations. In Fero v. Excellus Health Plan, Inc., a federal judge refused to certify a class partly because too many members were likely time-barred from filing based on state law.

Class Action U can assist you in finding an experienced attorney who will determine how long you have to file your lawsuit.

Examples of Successful Data Breach Lawsuits

There have been data breaches across many types of businesses in the United States. Notable successful class action lawsuits based on these breaches include:

Equifax: The Equifax data breach in 2017 exposed the personal information of 147 million people, resulting in hundreds of class action lawsuits. The company agreed to a global settlement of up to $425 million for affected customers. Plaintiffs whose information was misused could also claim free identity restoration services.
T-Mobile: The T-Mobile data breach in 2021 affected 76.6 million customers. The company settled a class action lawsuit for $350 million. There were additional breaches in 2022 and 2023, resulting in more fines and a federal consent decree ordering T-Mobile to change its cybersecurity practices significantly.

The size and scope of the Equifax data breach and the multiple data breaches at T-Mobile offer lessons to consumers. Do not assume that information is safe, and constantly monitor your credit reports and bank statements. Consumers can access a free credit report weekly.

How Can a Lawyer Help You Sue a Company for a Data Breach?

Data breach cases can be very complex. It is essential to partner with an attorney with experience in these claims as soon as possible so they can start taking steps to support a suit:

Investigating the breach: Your attorney will investigate when and how the breach occurred and how long it took the company to notify you. Your lawyer will also do a preliminary analysis of damages to show that you have standing to sue. When you contact Class Action U, you may receive a data breach investigation form from one of our partners.
Gathering evidence of negligence: Your attorney must show that the company did not take reasonable steps to protect your data. This may involve using experts, reviewing company security policies, and securing internal company communications that can bolster your claim.
Negotiating settlements or taking the case to court: Your attorney may negotiate a fair settlement based on strong evidence. If not, they will advise on starting or joining a class action or filing individually.
Quantifying your damages: Proving harm can be one of the most challenging aspects of a data breach claim. A knowledgeable attorney can determine your current and future emotional and financial losses based on experience in other claims.

Gather evidence of a data breach and your harm immediately. Check our list of current data breaches to determine if you are part of a known incident. Keep all communications if you already received a notification of a data breach. This information will be helpful when you first meet with an attorney.

What Damages Can You Claim in a Data Breach Lawsuit?

Data breaches can result in varying levels of harm depending on how your information is used and what steps you must take after exposure. Damages in a data breach lawsuit include:

Financial losses
Loss of time addressing the breach
Emotional distress and loss of privacy
Costs of identity theft protection

How Much Can You Sue a Company for a Data Breach For?

Your potential compensation depends on your damages. If you have significant unreimbursed credit card charges, severely damaged credit, or significant costs from combatting identity theft, your case will be worth more than if you only paid for credit monitoring.

Compensation in class action lawsuits varies greatly. The harm suffered by the class and the quality of legal representation affect payouts. Compensation may be higher if there are punitive damages.

Data Breach Class Action FAQs

Discovering that a company did not protect your data often raises questions about the process for seeking compensation, such as:

1. What Evidence Do I Need To Prove Harm?

You must show financial or emotional losses tied to the data breach. Bank statements, credit histories, an accounting of time spent trying to secure your data, and other evidence can prove to a judge that you have actual damages and standing to file a claim.

2. What if I Didn’t Know the Breach Happened Until Years Later?

Whether a judge extends your time limit to file a claim depends on why you didn’t know about the breach. If the company hid that information, a judge may rule that the statute of limitations didn’t start running until you discovered your harm. However, if you received an earlier notice and ignored it, you likely cannot file if your time limit expired.

Partner with an experienced attorney who can determine whether you can still file a claim and the best next steps.

Contact Class Action U To Connect You With an Experienced Data Breach Lawyer

Companies sent 1.7 billion data breach notices in 2024, a 312 percent increase from 2023. If you believe your data was compromised or you received a data breach notice letter, contact Class Action U. We will connect you with a skilled attorney to guide you through the legal process, fight to hold responsible parties accountable, and work to secure the compensation you deserve.

"*" indicates required fields

Name*

First Name Last Name

Email*

Phone Number*

Zip Code*

Tell Us About Your Case

By submitting this form, I agree to the Terms, Disclaimer and Privacy Notice and to receiving calls and emails from the law firm handling this investigation

TCPA*

By checking this box and clicking "Submit", I am providing my electronic signature expressly consenting to receive marketing phone calls, emails, and SMS text messages from Kopelowitz Ostrow Ferguson Weiselberg Gilbert (KO), or parties acting on its behalf, related to the products or services that I am inquiring about on the landline and/or mobile phone number that I provided, regardless of whether it is on any Do Not Call registry. I confirm that the phone number set forth above is accurate and that I am the regular user of the phone number. I understand that these calls may be generated using an automatic telephone dialing system and may contain pre-recorded and/or artificial voice messages. I understand that consent is not required as a condition for purchasing or obtaining any products or services. For SMS messages campaigns, text "STOP" to stop and "HELP" for help. Msg & data rates may apply.

Phone

This field is for validation purposes and should be left unchanged.