there is a significant uptick of ransomware attacks, where criminals are demanding a payment in exchange for not publishing data that they were able to obtain. But even if a company chooses to pay off a ransom, there is still a real worry that paying off a hacker does not guarantee that they will delete the data. Many believe that these payments only encourage the attacks to continue. As a result, we expect to see more large-scale data breaches impacting companies across all industries, as the shift to remote working, cloud-based storage, and the rise in sophisticated cybercriminals threatens data security. This in turn will lead to more data breach class action lawsuit filings.
While data breach actions pursued a decade ago faced little prospect of success, recent developments in the law and subsequent jurisprudence are providing momentum for the plaintiffs’ class action bar. Plaintiffs can more readily show standing and successfully plead duty, causation, and damages. A fundamental question in most data breach class actions is whether the plaintiff can show that he or she has standing to assert claims. While it is well- settled that individuals who have experienced direct economic injury from a breach (such as incurring fraudulent charges) have legal standing, as do those who can plausibly allege that their data was improperly accessed, the standing of group members who do not have a firm indication that their data was accessed or misused by an unauthorized party is highly contested. Plaintiffs’ attorneys typically allege several “harms” to try to establish a cognizable injury for this subset of claims. Such “injuries” may include the lost economic value of their personal information, overpayment for the defendant ’ s services, lost “benefit of the bargain,” increased spam communications, emotional distress, attenuated claims of misuse of their bank accounts, and an increased risk of future identity theft. Additionally, individual data breach plaintiffs now utilize a wide array of state law causes of action to circumvent any limitations of federal law. It is not uncommon to see negligence claims survive motions to dismiss, as ever-evolving industry guidelines for data security
may serve as the standard of care. In addition, plaintiffs often can plausibly allege that a company has a duty to take “reasonable precautions” to forestall the theft of sensitive personal information within its possession. In recent years, the financial implications of class action settlements related to data breaches also have been escalating. This trend was particularly noticeable in 2024, with several high-profile cases resulting in substantial settlement amounts. These increasing costs can be attributed to a few key factors. First, the sheer volume of individuals affected by data breaches has grown significantly, leading to larger classes and subsequently higher settlement amounts. Second, the nature of the data being compromised is becoming more sensitive - including financial and health information - which increases the potential damages awarded in these cases. Moreover, courts are becoming more sympathetic to plaintiffs’ positions and arguments in data breach cases. They are recognizing the potential harm caused by such breaches, even when the harm is not immediately apparent. This apparent shift in judicial attitudes is likewise contributing to larger settlements. Legal fees associated with these cases are also on the rise. As data breach litigation becomes more complex and requires specialized knowledge, legal teams are investing more resources into these cases, which serve to drive up costs. In sum, data breach class action litigation continues to grow into a high-stakes arena. Companies of various sizes and industries are wise to invest heavily in cybersecurity. This includes not only developing a robust
2
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Made with FlippingBook - professional solution for displaying marketing and sales documents online