Certified Information Privacy Professional (CIPP): US - Class Action Lawsuits for Data Breaches

What This Is

A class?action lawsuit for a data breach is a collective legal claim filed by a group of individuals (the “class”) who have suffered similar harm because a company failed to protect their personal information. In the United States, these suits are typically brought under state consumer?protection statutes (e.g., California’s CCPA/CPRA) or common?law negligence theories, and they can result in multi?million?dollar settlements that force organizations to improve security, change policies, and pay damages.

Real?world scenario: In 2020 the credit?reporting giant Equifax suffered a breach that exposed the Social Security numbers, birth dates, and credit?card details of ~147?million Americans. A class?action was filed in federal court alleging that Equifax failed to implement reasonable security controls, leading to a settlement of over $700?million and a court?ordered “security?program remediation plan.”

Key Terms & Provisions

• Class?Action (U.S. law): A lawsuit where one or more “representative” plaintiffs sue on behalf of a larger group who share the same legal claim.
• Consumer?Protection Statutes (U.S.): State laws (e.g., California Consumer Privacy Act – CCPA/CPRA, New York SHIELD Act) that give consumers the right to sue for statutory violations, including failure to safeguard data.
• Negligence Claim (Common Law): A cause?of?action alleging that a company owed a duty of care, breached that duty, and caused damages.
• Breach Notification Deadline (U.S.): Varies by state; most require notice “without unreasonable delay” (often within 30?days) after discovery of a breach.
• Statutory Damages (U.S.): Fixed monetary awards per violation (e.g., CCPA: $100–$750 per consumer per incident, up to $1.5?million for a single breach).
• Preservation Letter / Litigation Hold: A formal request to retain all relevant electronic evidence (emails, logs, backups) once a breach is suspected, to avoid spoliation sanctions.
• Settlement Fund (Class?Action): Money set aside to compensate class members, cover attorneys’ fees, and fund remedial actions.
• Attorney?General (AG) Enforcement (U.S.): State AGs can bring actions on behalf of residents; many class?actions are coordinated with AG investigations (e.g., the FTC’s settlement with Target after the 2013 breach).
• Data?Security Standard (PCI?DSS): Not a law, but a contractual requirement for merchants handling credit?card data; failure can trigger class?actions and fines from card brands.
• HIPAA Breach Notification Rule (U.S.): Requires covered entities and business associates to notify affected individuals, HHS, and sometimes the media within 60?days of a breach of protected health information (PHI).
• GDPR Art.?32 (EU): Requires “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk; failure can lead to EU?wide class?actions (e.g., the 2022 British Airways case).

Step?by?Step Process Flow (Handling a Potential Class?Action)

1. Detect & Verify the Breach – Confirm that unauthorized access occurred, identify the data types, and assess scope.
2. Activate the Incident?Response Plan & Litigation Hold – Issue a preservation notice to IT, legal, and compliance teams; freeze relevant logs and backups.
3. Notify Regulators & Affected Individuals – Follow state?specific breach?notification timelines (e.g., 30?days for California) and HIPAA’s 60?day rule if PHI is involved.
4. Conduct a Forensic Investigation & Risk Assessment – Determine root cause, estimate the number of potentially harmed individuals, and document findings for discovery.
5. Engage Counsel & Evaluate Exposure – Work with outside counsel to assess liability under consumer?protection statutes, negligence, and any contractual obligations (PCI?DSS, HIPAA).
6. Negotiate Settlement or Prepare for Litigation – If a class?action is filed, evaluate settlement offers, remediation commitments, and class?member notice requirements; keep the board and senior leadership informed throughout.

Common Mistakes

CIPP Exam Insights

1. Statutory vs. Common?Law Claims – Exams love to ask whether a breach can be pursued under a state consumer?protection statute (e.g., CCPA) or under negligence. Remember: Statutory claims require a violation of a specific duty; negligence requires proof of duty, breach, causation, and damages.
2. “Targeting” Test for GDPR Art.?3 – Even for a CIPP/US exam, you may be asked how a U.S. company could face a GDPR?based class?action. The key is the “targeting” prong: offering goods/services to EU residents or monitoring their behavior.
3. HIPAA Notification Timing – The 60?day rule is a frequent trap. The clock starts when the breach is discovered, not when it is reported to the media.
4. CCPA/CPRA “Statutory Damages” vs. “Actual Harm” – Under the CCPA, a plaintiff can recover statutory damages even without proof of actual injury, but only if the breach is “unintentional” the damages are reduced to $100 per consumer.

Quick Check Questions

1. Question: A retailer based in Texas discovers that a hacker accessed the credit?card numbers of 2,200 customers. The retailer notifies the affected individuals 45?days after discovery. Under the Texas Data Breach Notification Act, is the retailer at risk of a class?action?
   Answer: Yes. Texas law requires notice “without unreasonable delay” (generally interpreted as within 30?days). The 45?day delay can be deemed unreasonable, opening the retailer to statutory damages and a class?action.

2. Question: A U.S. health?tech startup stores PHI on a cloud server located in Ireland. A breach exposes the data. Can the startup be sued in a U.S. class?action under HIPAA?
   Answer: Yes. HIPAA’s jurisdiction is based on the entity (the covered entity or business associate), not the data’s physical location. The breach triggers HIPAA’s 60?day notification rule and potential civil enforcement, which can be the basis for a class?action.

3. Question: After a breach, a company immediately offers free credit?monitoring to all affected consumers. Does this automatically shield the company from a class?action?
   Answer: No. Offering remediation does not eliminate liability; the company still must demonstrate compliance with statutory duties and may still face damages and injunctive relief.

Last?Minute Cram Sheet (10 One?Liners)

1. CCPA/CPRA statutory damages: $100–$750 per consumer per incident; max $1.5?M for a single breach.
2. HIPAA breach?notification deadline: 60?days from discovery to individuals, HHS, and media (if >?500?NY residents).
3. PCI?DSS breach consequence: Card brands can levy fines up to $100?K per incident and require remediation.
4. California SHIELD Act: Requires “reasonable security” measures; failure can trigger class?action under California law.
5. Equifax settlement (2020): $700?M total; includes a court?ordered security?program audit.
6. Target breach (2013) FTC settlement: $18.5?M penalty plus $10?M for a comprehensive security program.
7. GDPR Art.?32 “appropriate security”: Failure can lead to €20?M or 4?% of global turnover fines; EU class?actions are increasingly common.
8. Preservation Letter: Must be issued within 24?hours of breach detection to avoid spoliation sanctions.
9. Statutory “unintentional” breach reduction (CCPA): Damages drop to $100 per consumer if the breach was not caused by negligence.
10. Exam trap: “Targeting” under GDPR applies even if a company has no physical presence in the EU; merely offering a website to EU residents can create jurisdiction.

Use this guide to drill the core concepts, memorize the high?yield facts, and walk through the practical steps you’ll need when a breach threatens a class?action.