There is a great deal of misunderstanding concerning data security breach-related class actions. In large part the media and the legal media have exaggerated the quantity (and success) of class action litigation.

The following provides an overview of the risks associated with lawsuits following data security breaches.1


The percentage of data breaches that lead to lawsuits.2


The increased odds of being sued if the breach was caused by a company’s unauthorized disclosure or disposal of data.3


The decreased odds of being sued if a company provides free credit monitoring following a breach.4


Settlement rate for data breach lawsuits.5


Increase in likelihood of settlement post class-certification.6


The increased odds of settlement where the cause of the breach is a cyber-attack.7


Decline in the quantity of data breach class action filings.8


Decline in unique defendants of class action filings.9


Number of different legal theories alleged by plaintiffs.10

What factors you should look at when considering the likelihood of receiving a class action complaint following a data breach:

  1. Is a plaintiff’s firm looking at government records for information relating to your organization’s data security practices? For example, have they submitted requests to the FTC under the Freedom of Information Act?
  2. Was the quantity of records lost lower, or greater, than the average number of records involved in recent class action lawsuits?
  3. Did consumers suffer any direct monetary harm?
  4. Could the data fields involved lead to identity theft?
  5. Has there been any evidence of actual identity theft?
  6. Did you offer credit monitoring, identity theft insurance, and/or credit repair services?
  7. If so, what percentage of impacted consumers availed themselves of your offer?
  8. Has the jurisdiction in which you are most likely to receive a lawsuit (e.g., where you are incorporated or primarily operate your business) permitted other data security class action complaints to proceed past the pleadings stage?
  9. Has the media widely reported on your data breach?
  10. If so, did the media report your data breach before, or after, the company notified impacted consumers?

1. Romanosky, et al, Empirical Analysis of Data Breach Litigation, 11(1) Journal of Empirical Legal Studies June 1, 2012),

2. Id.

3. Id.

4. Id.

5. Id.

6. Id.

7. Id.

8. Bryan Cave LLP, Snapshot of Bryan Cave’s 2016 Data Breach Litigation Report,


10. Bryan Cave LLP, 2016 Data Breach Litigaiton Report, at 9, available at

[View source.]