Your personal information was exposed in a data breach—now what? When companies fail to protect your sensitive data, you may have legal recourse. Data breach lawsuits have resulted in massive settlements, including T-Mobile’s $350 million settlement in 2022. But individual claims require proving actual harm, which isn’t always straightforward.
Quick Answer
Yes, you can sue a company for a data breach, but you typically must prove you suffered actual harm—such as identity theft, financial loss, or significant time spent addressing the breach. Class action lawsuits are common because individual damages are often modest. If you’ve experienced measurable harm from a breach, consulting a data privacy attorney can help determine your options.
When Can You Sue for a Data Breach?
You may have a viable claim if:
- You suffered identity theft traced to the breach
- You experienced financial losses (fraudulent charges, drained accounts)
- You spent significant time dealing with breach consequences
- You had to pay for credit monitoring or fraud protection
- You experienced emotional distress with documented effects
The “Standing” Problem
Courts have historically required plaintiffs to show “concrete” harm—not just that their data was exposed. Simply being part of a breach, without more, may not be enough to sue. However, courts are increasingly recognizing that:
- Increased risk of identity theft is a cognizable harm
- Time and money spent protecting yourself counts
- State laws may provide broader standing
Who Can Be Sued?
Any organization that collects and stores personal data can potentially be held liable:
| Type of Organization | Examples |
|---|---|
| Retailers | Target, Home Depot data breaches |
| Financial institutions | Banks, credit unions, lenders |
| Healthcare providers | Hospitals, insurance companies, clinics |
| Tech companies | Social media platforms, apps, cloud services |
| Government agencies | OPM breach exposed millions of federal employees |
| Employers | Employee data breaches |
| Educational institutions | Universities, schools storing student data |
Legal Theories for Data Breach Claims
Negligence
The company failed to use reasonable care to protect your data. You must prove:
- The company owed you a duty to protect your information
- They breached that duty with inadequate security
- The breach caused your harm
- You suffered actual damages
Breach of Contract
If the company’s privacy policy or terms of service promised to protect your data, failing to do so may constitute breach of contract.
State Consumer Protection Laws
Many states have laws against unfair or deceptive business practices. Failing to disclose a breach promptly or misrepresenting security practices may violate these laws.
State Data Breach Laws
All 50 states now have data breach notification laws. Some also provide private rights of action allowing lawsuits.
HIPAA Violations (Healthcare)
Healthcare data breaches may violate HIPAA, though HIPAA itself doesn’t provide a private right of action. State laws may fill this gap.
Class Actions vs. Individual Lawsuits
Class Action Lawsuits
Most data breach cases are class actions because:
- Individual damages are often small
- Litigation costs are shared
- Greater leverage against large companies
- More efficient for courts
Notable Data Breach Settlements
| Company | Settlement | Year |
|---|---|---|
| T-Mobile | $350 million | 2022 |
| Equifax | $700 million | 2019 |
| Yahoo | $117 million | 2020 |
| Capital One | $190 million | 2022 |
| Anthem | $115 million | 2017 |
Individual Lawsuits
May be worthwhile if:
- You suffered significant individual damages
- Identity theft caused major financial harm
- You have documented losses exceeding class settlement amounts
- You can prove the breach specifically caused your harm
What You Can Recover
Typical Damages
- Out-of-pocket expenses: Costs of credit monitoring, fraud alerts, account freezes
- Financial losses: Stolen funds, unauthorized charges
- Time spent: Hours dealing with breach consequences (some states)
- Credit monitoring services: Often provided in settlements
- Identity theft recovery costs: Legal fees, documentation costs
Class Action Settlement Benefits
Typical class settlements provide:
- Small cash payments ($25-$150 per person)
- Free credit monitoring (1-2 years)
- Reimbursement for documented losses
- Identity theft protection services
What to Do After a Data Breach
- Confirm the breach: Verify through official company communications
- Document everything: Save breach notifications, keep records of time spent responding
- Check your accounts: Review bank and credit card statements for fraud
- Place fraud alerts: Contact the three credit bureaus
- Consider a credit freeze: Prevents new accounts from being opened
- Monitor your credit: Sign up for free monitoring services
- Report identity theft: File with FTC at identitytheft.gov if fraud occurs
- Keep receipts: Document any costs incurred
- Watch for class actions: You may automatically be included
Statute of Limitations
Deadlines vary by state and legal theory:
- Negligence claims: Often 2-4 years
- Contract claims: Often 4-6 years
- State privacy law claims: Varies widely
The clock may start when the breach occurred, when you discovered it, or when you suffered harm—depending on your state.
Frequently Asked Questions
I received a breach notification but haven’t been harmed. Can I sue?
It’s difficult. Most courts require actual harm, not just potential harm. However, you should monitor your credit closely and document any time or money spent on protective measures. If identity theft occurs later, you may then have a viable claim.
Should I join a class action or file individually?
For most people, class actions are the practical option. Individual suits only make sense if your damages are substantial and clearly traceable to the specific breach. An attorney can help evaluate your situation.
What if the company offers free credit monitoring?
Accept it—it doesn’t waive your legal rights (unless the terms say otherwise, so read carefully). Free monitoring provides protection and helps document any subsequent harm.
Can I sue if my data was sold on the dark web?
If you can prove the data came from a specific breach and you suffered harm as a result, potentially yes. But tracing data to a particular breach can be challenging.
How much could I receive from a class action?
Class action payments are typically modest—often $25-$150 per person—because the settlement is divided among all affected individuals, which can number in the millions. Those with documented losses may receive more.
When to Contact a Lawyer
Consider consulting a data privacy attorney if:
- You experienced identity theft after a breach
- You suffered significant financial losses
- You spent substantial time and money dealing with breach consequences
- You want to understand your options for a specific breach
- You’re unsure whether to join a class action or opt out
Many data breach attorneys offer free consultations and take cases on contingency. Class action participation typically costs nothing unless there’s a recovery.
