Class Action Lawsuits: Data Breach Consumer Claims

Negligence

Duty of care, breach of duty, causation, damages

Actual damages required for recovery

State common law varies significantly

Breach of Contract

Valid contract, breach, causation, damages

Contract damages limited to foreseeable harm

Contract terms govern relationship

Breach of Implied Contract

Implied privacy promises, breach, reliance, damages

Reasonable expectations define scope

Privacy policy as contractual commitment

Unjust Enrichment

Benefit to defendant, at plaintiff's expense, unjust retention

Restitutionary damages, disgorgement

Equitable remedy when no contract exists

Violation of State Data Breach Notification Statutes

Statutory violation, causation, damages

Statutory damages where authorized

State-specific requirements, penalties

Violation of State Consumer Protection Acts

Unfair/deceptive practice, causation, damages

Often includes treble damages, attorney's fees

Broad state consumer protection coverage

Violation of Federal Statutes

FCRA, GLBA, HIPAA, COPPA, VPPA violations

Statutory damages, actual damages

Federal jurisdiction, preemption issues

Invasion of Privacy

Intrusion, public disclosure of private facts, false light

Actual damages, emotional distress

State law torts, subjective harm

Bailment

Delivery of property, acceptance, breach of duty

Value of bailed property

Property concept applied to data

Conversion

Unauthorized exercise of control over property

Property value damages

Data as property theory

Declaratory/Injunctive Relief

Ongoing harm, inadequate legal remedy

Injunctive relief, no monetary damages

Equitable remedies for future protection

Promissory Estoppel

Clear promise, reasonable reliance, injustice

Reliance damages

Alternative to contract claims

Fraudulent Concealment

Material concealment, scienter, reliance, damages

Actual damages, possible punitive damages

Intentional conduct required

Fiduciary Duty Breach

Fiduciary relationship, breach, causation, damages

Make-whole damages

Limited contexts (healthcare, financial)

California Consumer Privacy Act (CCPA)

Statutory violation, damages between $100-$750 per incident

Statutory damages without proof of actual harm

California residents, specific violations

Article III Standing

Injury in fact, causation, redressability

Federal constitutional requirement

Supreme Court guidance evolving

Injury in Fact - Actual Identity Theft

Documented fraudulent accounts, financial losses

Strongest standing showing

Universally recognized

Injury in Fact - Increased Identity Theft Risk

Substantial risk of future harm

Circuit split on sufficiency

Third, Sixth, Seventh, Ninth accept; Second, Fourth uncertain

Injury in Fact - Time Spent on Mitigation

Hours spent on credit monitoring, fraud prevention

Recognized as cognizable injury

Growing acceptance across circuits

Injury in Fact - Overpayment

Paid for services without adequate security

Contract/unjust enrichment theory

Generally recognized

Injury in Fact - Lost Value of PII

Personal information has inherent value

Data as property theory

Emerging recognition

Injury in Fact - Diminished Data Value

PII less valuable after compromise

Economic loss theory

Limited acceptance

Causation - Traceability

Injury traceable to defendant's conduct

Must link breach to specific harm

Challenging with multiple breaches

Causation - Data Broker Purchases

Evidence stolen data sold on dark web

Demonstrates concrete harm likelihood

Strengthens standing argument

Redressability

Court can provide effective relief

Damages, injunctive relief availability

Generally satisfied

Clapper v. Amnesty International

Speculative future harm insufficient

2013 Supreme Court decision

Limits pure risk-based standing

Spokeo v. Robins

Concrete harm required, not just statutory violation

2016 Supreme Court decision

Raised standing bar

TransUnion v. Ramirez

Concrete harm requirement strengthened

2021 Supreme Court decision

Further limited risk-based standing

Standing for Mitigation Costs

Time and money spent on protective measures

Recognized by many circuits as actual injury

Documented efforts required

Standing for Imminent Harm

Substantial risk that is certainly impending

Higher than mere possibility

Circuit-dependent standard

Numerosity

Joinder of all members impracticable

Easily satisfied in data breaches (thousands to millions affected)

Rarely contested in breach cases

Commonality

Questions of law/fact common to class

Defendant's security practices, breach cause, notice adequacy

Individual damage differences

Typicality

Representative claims typical of class

Similar harm from same breach event

Identity theft victims vs. non-victims

Adequacy of Representation

Representatives fairly/adequately protect class interests

No conflicts, competent counsel

Subclass issues between harm levels

Rule 23(b)(1) - Incompatible Standards

Individual actions create incompatible standards

Injunctive relief consistency

Rarely used in breach cases

Rule 23(b)(2) - Injunctive/Declaratory Relief

Defendant acted on grounds applicable to class

Security improvements, monitoring

Monetary relief not predominant

Rule 23(b)(3) - Predominance

Common questions predominate over individual questions

Security failure common; damages individual

Key battleground for certification

Rule 23(b)(3) - Superiority

Class action superior to other methods

Scale makes individual suits infeasible

Generally favors class treatment

Ascertainability

Class members identifiable through objective criteria

Breach notification list provides identifiable class

Administrative feasibility required

Damages Calculation

Common methodology for damages across class

Actual damages vary widely by individual

Expert testimony on damages models

Causation

Common proof of breach causing harm

Same breach event; individual causation varies

Individual inquiry may defeat predominance

Subclasses

Distinct subgroups with different interests

Identity theft victims, increased risk only, no harm yet

Multiple subclasses may be required

Choice of Law

Governing law for multistate class

50-state breach affecting consumers nationwide

May require state-specific subclasses

Settlement Class Certification

Less stringent scrutiny than litigation class

Courts approve settlement-only certification

Heightened fairness review

Cy Pres Awards

Unclaimed settlement funds to charitable purposes

Cybersecurity education, privacy advocacy

Scrutiny of beneficiary selection

California (CCPA)

Private right of action for data breaches

$100-$750 per consumer per incident

Breach of unencrypted/unredacted PII

Illinois (BIPA)

Private right of action for biometric privacy

$1,000 per negligent violation, $5,000 per reckless/intentional

Biometric data collection without consent

Massachusetts

Private right of action for breach notification failures

Actual damages, injunctive relief

Violation of breach notification law

North Carolina

Private right of action for security breach

Actual damages, punitive damages if willful/wanton

Unreasonable delay in breach notification

Washington

Private right of action under consumer protection act

Actual damages, treble damages, attorney's fees

Unfair/deceptive data security practices

Oregon

Private right of action for breach notification failures

$250 per consumer, up to $25,000 total

Willful violation of notification requirements

South Carolina

Private right of action for notification violations

Actual damages, punitive damages

Willful/reckless notification failure

Alaska

Private right of action for notification failures

Actual damages, injunctive relief

Violation of breach notification statute

Tennessee

Private right of action for breach

Actual damages, attorney's fees

Willful violation of data protection duties

Most Other States

No explicit private right of action

Rely on common law negligence, consumer protection acts

State-specific consumer protection statutes

Federal - FCRA

Private right of action for credit reporting violations

$100-$1,000 per violation, actual damages

Willful/negligent FCRA violations

Federal - GLBA

No private right of action (regulatory enforcement only)

N/A - FTC enforcement

Financial institution privacy rules

Federal - HIPAA

No private right of action (OCR enforcement only)

N/A - HHS enforcement

Healthcare privacy violations

Federal - COPPA

No private right of action (FTC enforcement only)

N/A - FTC enforcement

Children's online privacy

Federal - VPPA

Private right of action for video privacy

$2,500 minimum statutory damages

Unauthorized video rental disclosure

Hospital Ransomware Attack

Patient names, SSNs, medical records, diagnoses, treatment histories

Negligence, HIPAA violations (no private right but leverage in settlement), state consumer protection

$5M-$45M depending on records count

Medical Records Vendor Breach

PHI from multiple healthcare providers, insurance information, billing data

Third-party vendor negligence, inadequate vendor oversight

$8M-$60M for large aggregators

Health Insurer Database Hack

Member SSNs, health insurance IDs, claims history, diagnoses

Negligence, fiduciary duty breach, state data breach statutes

$15M-$115M (Anthem: $115M for 79M records)

Pharmacy Chain Breach

Prescription histories, payment information, customer loyalty data

Negligence, state pharmacy privacy laws, consumer protection

$3M-$25M depending on chain size

Mental Health Provider Breach

Therapy notes, psychiatric diagnoses, highly sensitive treatment records

Negligence, heightened duty for sensitive data, emotional distress

$10M-$40M due to data sensitivity

Genetic Testing Company Breach

DNA data, genetic markers, ancestry information, health predispositions

Negligence, genetic privacy violations, GINA implications

$5M-$30M (emerging area)

Telemedicine Platform Breach

Video consultation recordings, chat logs, remote diagnosis information

Negligence, unauthorized recording claims, HIPAA leverage

$4M-$20M depending on platform size

Medical Device Manufacturer Breach

Device usage data, patient health monitoring, implantable device information

Product liability, negligence, FDA regulation violations

$8M-$35M for connected devices

Employee Health Records Breach

Employee medical information, FMLA documentation, disability claims

Negligence, ADA violations, employment discrimination risks

$2M-$15M for employer breaches

Research Institution Breach

Clinical trial participant data, research subject information

Negligence, informed consent violations, research ethics

$3M-$18M depending on sensitivity

Bank Database Breach

Account numbers, SSNs, transaction histories, balances

Negligence, GLBA violations (leverage), fiduciary duty breach

$20M-$100M+ for major institutions

Credit Card Processor Breach

Payment card numbers, CVV codes, cardholder names, transaction data

PCI DSS violations, negligence, state consumer protection

$10M-$60M depending on card volume

Investment Firm Breach

Portfolio holdings, investment strategies, account values, tax information

Negligence, fiduciary duty, securities law implications

$15M-$75M for major brokerages

Cryptocurrency Exchange Breach

Wallet credentials, transaction histories, identity documents

Negligence, bailment, conversion (crypto as property)

$5M-$40M (evolving area)

Online Payment Platform Breach

Payment credentials, transaction histories, linked bank accounts

Negligence, inadequate authentication, consumer protection

$8M-$50M depending on user base

Credit Bureau Breach

Consumer credit reports, SSNs, credit histories, account information

Negligence, FCRA violations, fiduciary-like duty

$575M-$700M (Equifax scale) for major bureaus

Loan Servicer Breach

Loan balances, payment histories, SSNs, employment information

Negligence, GLBA leverage, state financial privacy laws

$5M-$30M depending on loan portfolio

Mobile Banking App Breach

Login credentials, account access, biometric authentication data

Negligence, inadequate security, BIPA violations if biometric

$10M-$45M for major banking apps

ATM Network Breach

Card PINs, account access codes, transaction data

Negligence, unauthorized access, consumer protection

$3M-$20M depending on ATM network size

Financial Advisor Platform Breach

Client financial plans, net worth statements, estate planning

Fiduciary duty breach, negligence, professional liability

$5M-$25M depending on client assets

Point-of-Sale Malware

Payment card numbers, cardholder names, transaction dates/locations

Negligence, PCI DSS violations, state consumer protection

$10M-$67M (Target: $18.5M for 41M cards)

E-Commerce Platform Breach

Customer accounts, order histories, stored payment methods, addresses

Negligence, breach of contract, inadequate security

$5M-$40M depending on customer base

Retail Loyalty Program Breach

Purchase histories, personal profiles, loyalty points, spending patterns

Negligence, conversion (points as property), unjust enrichment

$2M-$15M for major programs

Online Marketplace Breach

Seller accounts, buyer payment data, transaction histories

Negligence, third-party seller exposure, marketplace liability

$8M-$50M for major marketplaces

Fashion Retailer Breach

Customer profiles, purchase preferences, payment data, fitting room photos

Negligence, invasion of privacy, state consumer protection

$3M-$25M depending on retailer size

Grocery Chain Breach

Loyalty cards, purchase histories, prescription data if pharmacy included

Negligence, consumer protection, pharmacy privacy if applicable

$4M-$30M for major chains

Luxury Goods Retailer Breach

High-net-worth customer data, purchase histories, personal shopper notes

Negligence, heightened duty for affluent customers

$5M-$35M due to customer profile

Auction Site Breach

Bidding histories, seller bank accounts, buyer payment credentials

Negligence, bailment, third-party payment processor liability

$6M-$40M for major auction platforms

Subscription Box Service Breach

Subscriber preferences, payment data, delivery addresses, personal profiles

Negligence, subscription contract breach

$2M-$12M depending on subscriber count

Flash Sale Site Breach

Impulse purchase data, payment credentials, shopping behavior profiles

Negligence, consumer protection, behavioral data sensitivity

$3M-$18M for major flash sale platforms

Social Media Platform Breach

User profiles, friend networks, private messages, photo metadata

Negligence, privacy policy breach, consumer protection

$40M-$650M (Facebook Cambridge Analytica: $725M)

Cloud Storage Provider Breach

User files, documents, photos, backup data

Negligence, bailment, contract breach, conversion

$15M-$80M for major providers

Email Service Provider Breach

Email contents, contact lists, account credentials, search histories

Negligence, wiretap violations, privacy invasion

$20M-$100M for major providers

Collaboration Platform Breach

Corporate communications, shared documents, team conversations

Negligence, enterprise customer contract breach

$10M-$60M depending on business user base

Dating App Breach

Profile information, photos, location data, messaging, sexual orientation

Negligence, heightened sensitivity, potential outing

$15M-$70M due to data sensitivity

Video Conferencing Platform Breach

Meeting recordings, chat logs, participant data, screen shares

Negligence, wiretapping, consent violations

$8M-$45M for major platforms

Gaming Platform Breach

User accounts, payment data, gameplay data, chat logs, minor users

Negligence, COPPA violations, virtual goods conversion

$5M-$35M depending on user base

Fitness Tracking App Breach

Health data, location histories, workout routines, biometric data

Negligence, health privacy, geolocation sensitivity

$6M-$30M for major apps

Educational Technology Breach

Student data, learning records, parent information, FERPA-protected data

Negligence, FERPA violations (leverage), COPPA if children

$4M-$25M for major ed-tech platforms

Smart Home Device Breach

Device access credentials, home network data, usage patterns, video/audio

Negligence, wiretapping, home privacy invasion

$10M-$50M for major manufacturers

Claims-Made Cash Fund

30-60% of settlement value

Pro rata among approved claims

Requires claim submission with documentation

Credit Monitoring Services

15-30% of settlement value

Offered to all class members

No claim required, must activate

Reimbursement for Out-of-Pocket Losses

Documented losses up to cap (typically $2,500-$10,000)

Dollar-for-dollar reimbursement with proof

Claim required with receipts/documentation

Reimbursement for Time Spent

$15-$25 per hour, capped at 10-20 hours typically

Hourly rate × documented hours

Claim required with time log

Identity Theft Insurance

1-3 years of coverage, $25,000-$1M policy limits

Available to all class members

No claim required, must enroll

Cash Alternative to Credit Monitoring

$25-$125 per class member

Fixed amount for those who already have monitoring

Claim required, limited availability

Injunctive Relief

Security improvements, audits, enhanced practices

Applies to all class members automatically

No claim required, benefit from improved security

Attorney's Fees

25-33% of settlement fund

Court-approved reasonable fees

Deducted from total settlement

Administrative Costs

5-10% of settlement fund

Notice, claims processing, distribution

Deducted from total settlement

Cy Pres Awards

Unclaimed residual funds

Charitable donations to related causes

Indirect benefit to public

Service Awards to Named Plaintiffs

$5,000-$25,000 per class representative

Compensation for participation, risk

Named plaintiffs only

Subclass Allocations

Separate pools for identity theft victims vs. risk-only

Tiered compensation based on harm severity

Different claim forms for subclasses

Claims Rate Impact

Higher claims = lower per-claim payout (pro rata reduction)

Settlement fund divided by approved claims

Incentivizes early claims submission

Minimum Payment Guarantees

Some settlements guarantee minimum payment per approved claim

Ensures meaningful compensation

Protects against over-subscription

Maximum Payment Caps

Limits on individual recovery to preserve fund solvency

Prevents single claims from depleting fund

May frustrate high-damage claimants

Preliminary Approval

Facial fairness assessment, notice plan approval

No action required

30-60 days after settlement negotiation

Notice to Class

Individual notice to identifiable class members, publication notice

Right to opt out, object, file claim

60-90 day notice period

Opt-Out Period

Class members may exclude themselves from settlement

Preserve individual litigation rights

Typically 60 days from notice

Objection Period

Class members may object to settlement terms

Voice opposition to settlement

Typically 60 days from notice

Claims Submission Period

Class members file claims for compensation

Document losses, submit evidence

90-180 days typically

Fairness Hearing

Court evaluates settlement fairness, objections, attorney's fees

Right to appear, be heard

After notice and objection period

Final Approval

Court enters final judgment approving settlement

Settlement becomes binding

After fairness hearing

Appeals Period

Objectors may appeal final approval

Challenge settlement adequacy

30-60 days from final approval

Claims Processing

Administrator reviews claims, validates documentation

Respond to claim deficiency notices

3-6 months post-deadline

Distribution

Payment issued to approved claimants

Receive settlement checks

6-12 months after final approval

Fairness - Adequacy of Relief

Settlement provides fair compensation for claims released

Settlement value vs. claimed damages

Core fairness inquiry

Fairness - Class Treatment

All class members treated equitably

Subclass differentiation, allocation fairness

Prevents disparate treatment

Fairness - Attorney's Fees

Fees reasonable relative to settlement value and effort

Percentage-of-fund or lodestar analysis

Typically 25-33% approved

Fairness - Objector Concerns

Court addresses objections to settlement terms

Objection review, response

May modify settlement terms

Cy Pres Scrutiny

Unclaimed funds directed to appropriate charitable purposes

Ensure cy pres benefits class interests

Heightened appellate review

Equifax (2017)

147M records: SSNs, DOBs, addresses, driver's licenses

$700M ($425M consumer fund, $175M credit monitoring, $100M fees)

Up to $20,000 per identity theft victim, $125 cash alternative, 10 years credit monitoring

Largest breach settlement; established identity theft documentation standards

Target (2013)

41M payment cards, 70M customer records

$18.5M consumer settlement, $39M bank card issuer settlement

Up to $10,000 documented losses, avg $140 per claimant

First major retail breach class action

Home Depot (2014)

56M payment cards, 53M email addresses

$17.5M consumer settlement, $25M bank settlement

Up to $10,000 documented losses, credit monitoring

Similar structure to Target, reinforced precedent

Anthem (2015)

79M records: SSNs, medical IDs, income data, employment info

$115M

Up to $50,000 out-of-pocket losses, credit monitoring

Largest healthcare breach settlement

Yahoo (2013-2014)

3B accounts: emails, passwords, security questions

$117.5M

$25,000 documented losses, $100-$358 for undocumented claims

Largest by account count

Uber (2016)

57M riders/drivers: names, emails, phone numbers, driver's licenses

$148M (multi-state AG settlement, not class action)

Enhanced security, no consumer payments

Regulatory vs. class action comparison

Marriott/Starwood (2014-2018)

383M guest records: passport numbers, payment cards, travel history

$52M pending final approval

Credit monitoring, cash payments for documented losses

Hospitality industry precedent

Facebook Cambridge Analytica (2018)

87M user profiles: political preferences, friend networks

$725M

Claims-made fund, privacy practice changes

Privacy misuse vs. security breach

Capital One (2019)

106M records: credit applications, SSNs, bank account numbers

$190M

Cash payments, credit monitoring, identity protection

Financial institution benchmark

T-Mobile (2021)

76.6M records: SSNs, driver's licenses, IDs

$350M

$25M for claims, $15M legal fees, security improvements

Telecom industry standard

Premera Blue Cross (2014)

11M records: medical claims, clinical info, SSNs

$74M

Up to $10,000 documented losses, credit monitoring

Healthcare precedent for claims-based data

Sony PlayStation Network (2011)

77M accounts: names, addresses, logins, possibly payment cards

$15M (US), identity theft coverage

Free games, credit monitoring, identity theft insurance

Gaming platform precedent

Excellus BlueCross BlueShield (2013-2015)

10.5M records: SSNs, financial info, medical claims

$5.1M

Credit monitoring, cash payments for documented losses

Regional health insurer standard

Community Health Systems (2014)

6.1M records: SSNs, patient names, addresses, diagnoses

$5M

Credit monitoring, identity theft resolution services

Hospital system precedent

LinkedIn (2012)

117M account credentials: emails, passwords

Nominal settlement, password reset, enhanced security

Professional network precedent, limited monetary relief

Record Count

Linear relationship up to 50M records, then logarithmic

$2-$15 per record (retail/e-commerce)<br>$15-$80 per record (healthcare)<br>$5-$40 per record (financial)

Economies of scale reduce per-record value at high volumes

Data Sensitivity

Exponential increase for highly sensitive categories

2-5× multiplier for SSN+DOB+financial<br>3-8× multiplier for healthcare<br>5-10× multiplier for genetic/biometric

Reflects greater harm potential and identity theft risk

Identity Theft Rate

Documented identity theft strengthens standing and damages

$5,000-$25,000 per documented ID theft victim (subset of class)

Actual harm drives higher individual compensation

Defendant Financial Condition

Ability to pay affects settlement ceiling

Deep pockets → higher settlements<br>Bankruptcy risk → lower settlements

Settlement must be collectible

Litigation Risk

Defendant's exposure to adverse verdict

High litigation risk → 40-60% of damages exposure<br>Low litigation risk → 10-25% of exposure

Reflects probability-weighted outcomes

Standing Strength

Post-TransUnion, concrete harm required

Weak standing → 20-40% reduction<br>Strong standing → baseline valuation

Affects certification and merits likelihood

Statute of Limitations

Timeliness of claims affects viability

Claims approaching SOL → 30-50% reduction

Time pressure reduces leverage

Regulatory Enforcement

Parallel AG/FTC actions affect settlement

Concurrent regulatory action → 15-30% increase

Reputational pressure, coordination benefits

Media Attention

Public scrutiny increases settlement pressure

High-profile breach → 20-40% increase

Reputational damage mitigation

Breach Cause

Negligence vs. sophisticated attack affects culpability

Gross negligence → 30-60% increase<br>Advanced persistent threat → 20-40% decrease

Fault allocation affects liability

Prior Breaches

Pattern of inadequate security

Repeat breach → 40-80% increase

Demonstrates failure to remediate

Delay in Notification

Unreasonable delay increases damages

30+ day delay → 15-30% increase<br>6+ month delay → 40-70% increase

Statutory violation, increased harm

Class Certification Strength

Likelihood of certification affects settlement leverage

Strong certification → 30-50% increase<br>Weak certification → leverage reduction

Affects litigation alternative value

Jurisdiction

Plaintiff-friendly vs. defense-friendly venues

California/Illinois → 20-35% increase<br>Defense-friendly circuits → 15-30% decrease

Forum affects litigation outcomes

Insurance Coverage

Cyber insurance affects settlement funding

Insured defendant → higher settlement capacity<br>Policy disputes → settlement delays

Ability to fund settlement

Lifetime Identity Theft Risk

2-4 years credit monitoring

Compromised SSN never changes; lifetime elevated risk

Temporal mismatch: short-term remedy for permanent exposure

Time Spent on Remediation

$15-$25/hour, capped at 10-20 hours

Actual time often 40-200+ hours over years

Compensation caps undervalue extensive remediation

Emotional Distress

Rarely compensated absent physical manifestation

Anxiety, stress, sleep disruption, relationship impact

Non-economic harm largely uncompensated

Future Fraud Prevention Costs

Limited to settlement-provided monitoring period

Lifetime need for credit monitoring, identity protection

Ongoing costs exceed settlement coverage

Credit Score Impact

Minimal compensation for credit damage

Years to rebuild credit, denied loans, higher interest rates

Long-term economic harm inadequately addressed

Opportunity Costs

Time valuation doesn't capture lost opportunities

Missed work, business opportunities, professional impact

Economic value beyond hourly rate

Privacy Loss

No compensation for privacy violation itself

Intimate information permanently exposed

Dignity harm uncompensated

Reputational Harm

Not typically recognized in settlements

Employment, social, professional consequences

Intangible but real damage

Increased Insurance Premiums

Not compensated

Identity theft insurance, credit monitoring costs

Ongoing financial burden

Tax Implications

Settlement payments potentially taxable

Reduces net compensation

IRS treatment varies

Family Member Impact

Limited to class member; minor children often excluded

Compromised SSN affects entire household

Derivative harm uncompensated

Small Payment Reality

Average payment $40-$300 for claims filed

Actual documented losses often $2,000-$15,000+

Pro rata reduction leaves claimants undercompensated

High Non-Claim Rate

85-95% of class members don't file claims

Barriers to claiming: complexity, documentation burden

Most victims receive zero compensation

Credit Monitoring Low Value

Retail value inflated; actual cost $5-$15/month

Settlements credit monitoring at $200-$240/year

Accounting gimmick inflates settlement "value"

Cy Pres Waste

Unclaimed funds to charity, not class members

Direct compensation foregone

Money intended for victims redirected

Future Risk Standing

Many circuits accepted elevated identity theft risk as injury in fact

Substantially weakened; speculative future harm insufficient

Focus on present harm: mitigation costs, data value loss

No-Injury Class Members

Included in class even without actual identity theft

May lack standing to sue

Require subclasses: actual harm vs. risk only

Mitigation Costs

Time/money spent on protective measures

Strengthened as concrete, present injury

Document hours spent, expenses incurred

Data Value Theory

PII has inherent value; deprivation is injury

Uncertain; some courts accept, others reject

Combine with other injury theories

Overpayment Theory

Paid for services with adequate security promise

Contract-based standing more robust

Emphasize bargained-for security

Emotional Distress

Standing based on anxiety about future identity theft

Weakened; requires concrete manifestation

Document tangible effects: medical treatment, sleep loss

Credit Monitoring Costs

Costs of obtaining monitoring services

Accepted as out-of-pocket expense

Document actual expenses, not settlement-provided value

Class Certification Impact

Predominance challenged when standing varies by member

May require excluding no-injury members

Create injury-specific subclasses

Settlement Class Certification

Settlement-only certification more lenient

Enhanced scrutiny after TransUnion

Demonstrate all class members have Article III standing

Dark Web Evidence

Stolen data sold on criminal markets

Strengthens imminence of harm

Proactively gather dark web listings

Statistical Evidence

X% of breach victims experience identity theft within Y years

Insufficient for individual standing

Use for damages calculation, not standing

VPPA Exception

Video Privacy Protection Act statutory damages without concrete harm

TransUnion suggested statutory violations alone insufficient

Rely on VPPA's specific statutory language

BIPA Robustness

Illinois biometric privacy standing survives TransUnion

Technical violations create concrete harm per Illinois courts

BIPA remains strongest state statutory claim

Actual Fraud Subset

Identity theft victims clearly have standing

Focus litigation on documented fraud subset

May reduce class size but strengthen certification

Discovery Chicken-Egg

Need discovery to prove standing; need standing for discovery

Heightened pleading burden

Front-load standing allegations with specificity

Percentage of Fund

25-33% of settlement value

Maximizes total settlement size

Attorneys benefit from inflated settlement value (e.g., overvalued credit monitoring)

Lodestar Multiplier

Hourly rates × hours worked × multiplier

Rewards attorney effort

Encourages churning hours; multiplier debates

Common Fund Doctrine

Attorneys created fund benefiting class; entitled to percentage

Aligns with benefit creation

Class members' recovery reduced by fees

Settlement Inflation

Credit monitoring valued at retail ($200-$300/year) vs. cost ($5-$15/month)

Inflates settlement to justify higher fees

Class receives low-value service; attorneys paid on inflated value

Quick Settlement Pressure

Settle early before extensive litigation

Reduces litigation costs, faster recovery

May settle for less than maximum value

No-Harm Class Members

Include members with no injury to inflate class size

Larger class = larger settlement = higher fees

Weakens standing, includes uninjured parties

Reversionary Clauses

Unclaimed settlement funds revert to defendant

Defendant pays less than settlement amount

Attorneys get full fee but class undercompensated

Clear Sailing Agreements

Defendant won't oppose fee request if class counsel supports settlement

Ensures fee approval

Removes adversarial check on settlement adequacy

Cy Pres Beneficiaries

Unclaimed funds to charities selected by parties/court

Funds go to "related" causes vs. class members

Attorneys' favored charities; indirect class benefit

Service Awards

Named plaintiffs receive $5,000-$25,000

Incentivizes class representatives

Creates potential conflict with absent class members

Objector Buyouts

Pay objectors to withdraw objections

Removes obstacles to settlement approval

Silences legitimate criticism

Claims Rate Irrelevance

Attorneys paid on total fund regardless of claims rate

No incentive to maximize claims

5% claim rate = same fee as 50% claim rate

Monitoring Activation Requirements

Class members must activate credit monitoring

Reduces defendant's actual cost

Defendant pays only for activation; attorneys paid on offering value

Settlement Timing

Settle before substantial work/discovery

Lower lodestar justification

Quick settlement may undervalue case

Breach Containment

Hours 0-24

Demonstrates reasonable response; limits damages

Incident response logs, containment actions

Forensic Investigation

Days 1-7

Establishes breach scope, causation evidence

Engage reputable forensics firm, privileged investigation

Legal Privilege Assertion

Day 1

Protects investigation findings from discovery

Engage counsel, attorney work product doctrine

Notification Timing Assessment

Days 1-5

Compliance with state notification deadlines

Legal analysis of applicable statutes

Consumer Notification

Per statute (typically 30-45 days)

Statutory compliance; notification content affects litigation

Notification letter review, delivery confirmation

Credit Monitoring Offering

With notification

Demonstrates good faith; may reduce claims

Cost-effective monitoring procurement

Regulatory Notification

Per statute

AG/OCR enforcement; cooperation credit

Timely filing, compliance documentation

Insurance Notification

Days 1-3

Preserves coverage; insurer investigation cooperation

Policy review, timely notice

Media Response

Hours 24-48

Shapes public narrative; reputational impact

Coordinated messaging, factual accuracy

Vendor Assessment

Days 1-7 if vendor caused breach

Third-party liability, indemnification claims

Contract review, vendor cooperation

Security Remediation

Days 1-30

Demonstrates corrective action; prevents recurrence

Remediation plan, implementation documentation

Board Notification

Days 1-3

Fiduciary duties, governance

Executive briefings, board minutes

Litigation Hold

Day 1

Preserves evidence; avoids spoliation sanctions

Comprehensive hold notice, IT preservation

Claims Process Planning

Days 30-60

Proactive resolution; settlement positioning

Claims portal, identity verification, documentation requirements

Stakeholder Communication

Days 1-30

Customers, employees, partners, investors

Coordinated messaging, consistency

Standing Emphasis

Highlight concrete harm subset; documented ID theft cases

Challenge standing for risk-only class members

Assess standing strength per current law

Damages Valuation

Document actual losses; emphasize sensitive data categories

Highlight zero-loss class members; challenge causation

Reality-test damages with comparable settlements

Settlement Structure

Maximize cash fund; minimize illusory credit monitoring value

Maximize credit monitoring allocation; limit cash

Balance meaningful relief with defendant capacity

Claims-Made vs. Non-Claims

Prefer non-claims structure paying all class members

Prefer claims-made reducing actual payout

Assess class member claims likelihood

Reversionary Clauses

Oppose reversion; unclaimed funds to cy pres

Include reversion to limit ultimate payout

Cy pres to aligned charity; no reversion

Credit Monitoring Duration

Demand 7-10 years matching identity theft risk duration

Offer 1-2 years as standard industry practice

3-5 years as compromise matching risk elevation period

Injunctive Relief

Demand specific security improvements with audit rights

Limit to general "reasonable security" commitments

Concrete improvements without operational micromanagement

Subclass Differentiation

Create tiers: documented ID theft, mitigation costs, risk only

Treat all class members equally to limit maximum exposure

Tiered structure matching harm severity

Fee Negotiation

33% of fund as standard contingency

25% or lodestar with modest multiplier

28-30% based on risk, result, effort

Clear Sailing

Avoid clear sailing; maintain adversarial fee posture

Seek clear sailing to ensure settlement approval

No position on fees; let court decide

Cy Pres Beneficiaries

Privacy/security nonprofits; consumer advocacy

Neutral charities with no class counsel connections

Transparent selection; court approval

Service Awards

$15,000-$25,000 per named plaintiff for effort/risk

$5,000 maximum; discourage professional plaintiffs

$7,500-$12,500 based on actual participation

Geographic Scope

Nationwide class for efficiency

State-by-state based on strongest laws

Assess multistate viability; may require subclasses

Release Scope

Narrow release to data breach claims only

Broad release of all potential claims

Released claims tied to settlement benefits

Standing Post-TransUnion

Percentage of class with concrete present harm

Focus on documented harm subset; early settlement

Cyber insurance covers settlements, not typically standing dismissal costs

Causation Challenges

Other breaches in timeframe; ability to trace identity theft to this breach

Strong forensics showing stolen data on dark web

Coverage for investigative costs

Class Certification Risk

Predominance of common vs. individual issues

Settlement class more certifiable than litigation class

No direct coverage impact

Statute of Limitations

Timing of breach discovery vs. notification

Equitable tolling arguments; prompt notification

Coverage for notification costs

Contributory Negligence

Consumer responsibility for account security

Limited application in breach cases

Not typically coverage issue

Regulatory Enforcement

Parallel AG/FTC investigation

Cooperation; coordinated resolution

Separate regulatory coverage sublimits

Punitive Damages Exposure

Gross negligence or willful misconduct

Typically not awarded in breach cases

Often excluded from coverage

Verdict Risk

Potential jury award if case proceeds to trial

Statistical models; comparable verdicts

Policy limits; excess coverage

Appeal Risk

Adverse ruling reversal on appeal

Strong trial record; settlement to avoid appeal

Extended litigation costs

Multidistrict Litigation

Consolidation of cases in MDL

Efficiency and consistency in defense

Impacts overall defense costs

Insurance Policy Limits

Cyber policy limits vs. potential exposure

Adequate limits; excess/umbrella coverage

$5M-$100M typical cyber limits

Prior Acts Exclusion

Knowledge of vulnerability before policy period

Disclosure obligations; claims-made coverage

May exclude pre-policy vulnerabilities

Notification Cost Coverage

Cost of consumer notification, credit monitoring

Use policy-approved vendors

Sublimits for notification ($1M-$10M)

Defense Cost Coverage

Legal defense expenses

Defense costs within limits or in addition

Erosion vs. non-erosion policies

Settlement Authority

Insurer consent required for settlement

Maintain insurer cooperation

Consent to settle provisions

Biometric Privacy Litigation

Illinois BIPA generating massive settlements

More states enacting biometric privacy laws

Statutory damages create settlement pressure

Genetic Data Breaches

Limited litigation; emerging area

Growing DNA testing adoption increases exposure

Heightened sensitivity may drive higher settlements

IoT Device Breaches

Limited precedent; security often inadequate

Billions of connected devices create massive attack surface

Product liability convergence with data breach

AI/ML Data Breaches

Training data breaches; model inversion attacks

AI adoption creates new breach vectors

Novel legal theories; algorithmic harm

Ransomware with Data Theft

Double-extortion ransomware now standard

Trend will continue; data theft plus disruption

Dual harm: access loss + privacy violation

State Privacy Law Proliferation

15+ states with comprehensive privacy laws

Continued state legislation absent federal law

Increased statutory claim bases

Federal Privacy Legislation

Multiple proposals; no enactment yet

Eventual federal law likely

Could preempt state laws; create federal private right

Supply Chain Breaches

Third-party vendor breaches increasingly common

Software supply chain attacks growing

Complex liability allocation issues

Cloud Provider Breaches

Shared responsibility model complicates liability

Cloud adoption growing; concentration risk

Contractual liability limitations challenged

Cryptocurrency Breaches

Theft of crypto assets; irreversible transactions

Crypto adoption creates new breach type

Property vs. data classification issues

Deepfake Identity Theft

Biometric data used to create convincing fakes

AI-generated deepfakes proliferating

Novel harm theories; verification challenges

Insurance Rate Increases

Cyber premiums rising 30-50% annually

Rate pressure continues; capacity constraints

Self-insurance; higher retentions

MDL Consolidation

Major breaches often consolidated

Trend toward efficient case management

Standardized discovery; bellwether trials

Settlement Transparency

Increased judicial scrutiny of settlement terms

Enhanced fairness review; cy pres limitations

More robust settlement justification required

Dark Web Monitoring

Stolen data tracking on criminal markets

Sophisticated monitoring tools emerging

Stronger causation and imminence evidence