Can You Sue a Company for a Data Breach? (Updated 2026)

Someone hacks a company. Your name, your card number, maybe your Social Security number ends up for sale on a forum. So a fair question follows: can you sue a company for a data breach, and would the case actually win? The short answer is yes, you can file. The longer answer depe

Cybersecurity Can You Sue a Companies Data Breaches
Marcus Chen · Director of Sales June 17, 2026 14 min read ~3,017 words
Share 14 min · ~3,017 words
Cybersecurity & Data Protection

Can You Sue a Company for a Data Breach?

Your rights after a data breach, plus what businesses owe customers under state and federal privacy law
Serving Miami Since 1999  |  12 min read

Can You Sue a Company for a Data Breach

Quick answer: Yes, you can sue a company for a data breach if its failure to protect your information caused you real harm. Most claims move forward as class actions built on negligence, breach of contract, or a state privacy statute. Your odds depend on what data leaked, where you live, and whether you can show a concrete injury such as fraud, identity theft, or money spent on monitoring.

The Short Version

Can You Sue a Company for a Data Breach?

Someone hacks a company. Your name, your card number, maybe your Social Security number ends up for sale on a forum. So a fair question follows: can you sue a company for a data breach, and would the case actually win? The short answer is yes, you can file. The longer answer depends on the harm you suffered and the law in your state.

Courts treat a breach as a possible breach of duty. A business collects your personal data, and with it comes a responsibility to guard it. When weak security lets attackers walk in, the people whose records leaked may have grounds to seek compensation. But a leak alone is not always enough. Judges usually want to see a concrete injury, not just the worry of one. And this single requirement decides a huge share of these cases.

This guide walks through who can sue, what you can recover, how class actions differ from solo lawsuits, and how state laws in Florida, Illinois, Indiana, and Ohio change the math. Our team works with South Florida businesses on the prevention side every day, so we also cover what companies can do to stay off the wrong end of one of these claims. For a head start, see our practical tips on preventing security breaches.

Standing & Injury

What Counts as Real Harm?

Here is the hinge of almost every data breach lawsuit: standing. A court will ask one blunt question. Were you actually hurt? If a thief drained your account or opened a credit card in your name, the answer is clear. The harm is real, present, and easy to point to.

Other cases are murkier. Say your email and a hashed password leaked, but nothing happened yet. Some courts accept the heightened risk of future fraud as injury enough to proceed. Others toss the claim and ask you to come back once damage shows up. The split runs deep across federal circuits, and it explains why two near-identical breaches can produce two opposite rulings.

Damages people commonly claim include:

  • Direct financial loss from fraud or unauthorized charges on your accounts
  • Money spent on credit monitoring, freezes, or identity restoration services
  • Hours of your own time spent cleaning up the mess, valued at an hourly rate
  • Emotional distress, where a state allows it as a recoverable category
  • The lost market value of personal data once it sits in criminal hands

So what tips a case toward success? Sensitive data. Theft of a name and a street address rarely clears the bar. Theft of a Social Security number, a driver license, financial account numbers, or health records usually does. The more dangerous the leaked field, the stronger your footing.

Legal Grounds

The Three Ways People Sue Over a Breach

Plaintiffs rarely rely on a single theory. Good complaints stack several, since a judge may accept one and reject another. Three grounds show up again and again.

1. Negligence

This is the workhorse claim. The argument is simple. A company owed a duty to use reasonable security, it skipped the duty, and the breach followed as a result. Outdated software, no encryption, ignored warnings, a missing patch: each can look like negligence to a jury. The harder part is proving the sloppy security directly caused your specific loss.

2. Breach of Contract or Implied Contract

Many companies promise to protect your information in a privacy policy or terms of service. Break that promise, and you may have a contract claim. Even without a signed agreement, courts sometimes find an implied contract: you handed over data, and the business implicitly agreed to safeguard it. Retailers and healthcare providers see this theory often.

3. State Privacy Statutes

Some states wrote laws with real teeth. The California Consumer Privacy Act lets residents seek set damages for certain breaches without proving a dollar of loss. Illinois protects biometric data under its Biometric Information Privacy Act, with penalties per violation. These statutes can be the strongest path, because they spell out the rules and the price of breaking them.

A quick caveat worth stating plainly. Suing is not the only road, and it is rarely the fast one. Many breaches settle as class actions years after the event, and individual payouts can be modest. We will get to that trade-off next.

Two Paths

Class Action vs. Individual Lawsuit

Once you decide to act, a fork appears. Join a class, or file your own suit? Each fits a different situation. Here is a side-by-side look.

Factor Class Action Individual Lawsuit
Best for Small or hard-to-prove individual losses spread across many people Large, documented personal losses such as major fraud or identity theft
Your cost Usually none up front; lawyers take a percentage of the settlement Often contingency too, but you carry more of the case
Effort from you Low; you file a claim form and wait High; depositions, evidence, and a longer timeline
Typical payout Modest per person, sometimes a few dollars to a few hundred Potentially much larger if losses are real and provable
Speed Slow; settlements can take two to four years Variable, but you control the pace more
Control Little; class counsel runs the strategy Full control over decisions and settlement choices

So which wins? It depends on your numbers. If a breach cost you ten dollars and an afternoon, a class action is the sensible route. But if fraud drained thousands and wrecked your credit, a solo case could recover far more than a class check ever would. Talk to a data breach attorney before you pick, because once you accept a class settlement, you usually give up the right to sue on your own.

By The Numbers

What a Breach Actually Costs

The money behind these cases is not small. Recent research puts hard figures on the damage, and the totals explain why companies and plaintiffs both treat breaches so seriously.

$4.44MGlobal average cost of a data breach in 2025, per IBM, down from $4.88M in 2024
$10.22MAverage breach cost in the United States, the highest of any region (IBM, 2025)
60%Share of small businesses that close within six months of a serious cyberattack
43%Small businesses hit by at least one cyberattack in a recent 12-month span

The IBM figure for the United States, $10.22 million on average, sits far above the global number because of steep regulatory fines and slower detection. There is one bright spot worth flagging. Organizations using security AI and automation widely cut their breach lifecycle by about 80 days and saved close to $1.9 million on average, according to the same IBM report. Speed of detection moves the needle more than almost anything else.

For a small or midsize Florida company, the picture is sobering. Estimates put the cost of responding to and resolving a single incident anywhere from $120,000 to well over $1 million. So prevention is not a luxury line item. It is survival math.

State By State

How State Laws Change Your Case

There is no single national data breach law in the United States. Instead, fifty states wrote their own rules, and the gaps between them are wide. Where you live shapes what you can claim and how much a company risks. Here are four states the original version of this article highlighted, updated and put side by side.

State What stands out Penalty signal
Florida (FIPA) 30-day notice rule; covers any business holding Florida residents’ data; encryption acts as a safe harbor State enforcement plus civil exposure; treated as an unfair trade practice
Illinois (BIPA) Strong protection for biometric data like fingerprints and face scans; a private right to sue Set damages per violation, often $1,000 to $5,000 each
Indiana Requires notice when unencrypted personal data is accessed; enforced by the attorney general Civil penalties reported up to roughly $150,000 per deceptive act
Ohio Data Protection Act offers a safe harbor to firms that adopt a recognized framework Reduced liability for compliant firms; full exposure for the rest

Notice the pattern. Some states reward good security with a shield, while others punish bad security with stiff fines. Illinois stands out for letting individuals sue directly under BIPA, which has produced some of the largest privacy settlements in the country. And Ohio takes the opposite tack, dangling a legal safe harbor as a carrot for companies that follow a respected standard like the one from the National Institute of Standards and Technology.

Real Cases

Real Cases Behind the Rules

Abstract law gets easier to grasp through real settlements. Big breaches have already tested these theories in court, and the numbers grabbed national attention. A few examples show how high the stakes climb.

Anthem, one of the largest health insurers in the country, reached a record HIPAA settlement with federal regulators after a breach exposed records on tens of millions of people. The U.S. Department of Health and Human Services detailed the resolution in its own public guidance on the Anthem settlement. The case became a reference point for what regulators expect from companies holding medical data.

Morgan Stanley faced a multistate action over mishandled customer data tied to decommissioned hardware, and the resolution ran into the tens of millions of dollars. The lesson cut clean. Old servers and retired devices still hold live data, and forgetting them creates liability long after they leave the rack.

Two patterns jump out of these cases. First, regulators and private plaintiffs often pursue the same breach from different angles, which multiplies a company’s exposure. Second, the costliest failures usually trace back to ordinary lapses: an unpatched system, a forgotten drive, a missing control. None of it was exotic. Most of it was preventable. And prevention is exactly where a managed services partner earns its keep.

South Florida Focus

Florida’s FIPA and What Miami Businesses Owe

If you run a business in Miami, Fort Lauderdale, or anywhere in South Florida, one law sits at the center of your obligations: the Florida Information Protection Act, or FIPA. And it is broader than many owners assume.

FIPA reaches any entity that acquires, stores, or uses the personal information of Florida residents. A five-person shop on Brickell faces the same legal standard as a five-hundred-person firm downtown. The statute is also extraterritorial, so a company outside Florida still answers to FIPA if it holds data on Floridians.

The core duties are clear:

  • Notify affected individuals in writing within 30 days of discovering a breach of unencrypted personal data
  • Tell the Florida Department of Legal Affairs when a breach touches 500 or more residents
  • Include the breach date, the data types exposed, and the steps taken in every notice
  • Take reasonable measures to protect and securely dispose of personal records

Here is the part smart owners act on. Florida builds in an encryption safe harbor. If the stolen data was properly encrypted, the notification trigger usually does not fire. So encryption is not just good hygiene. It is a legal shield written into the statute. The team at 1800 Office Solutions helps South Florida companies put exactly these controls in place, from device encryption to secure print and document workflows.

Prevention

How Businesses Lower Their Breach Liability

Lawsuits land hardest on companies seen as careless. So the surest defense is a record of reasonable, documented security. You cannot promise a breach will never happen. But you can show a court, a regulator, and your customers a serious, documented effort to protect data. This distinction often decides liability.

Practical steps that hold up well under scrutiny:

  • Encrypt sensitive data at rest and in transit, which can trigger Florida’s safe harbor
  • Patch software on a schedule and retire unsupported systems before they become open doors
  • Train staff to spot phishing, since most breaches start with a single clicked link
  • Lock down printers, copiers, and scanners, which quietly store images of every document
  • Build and rehearse an incident response plan, so a 30-day clock never catches you flat
  • Adopt a recognized framework such as the NIST guidance, which several states reward

This fourth point gets overlooked constantly. A modern office copier holds a hard drive, and the drive can keep a copy of every tax form, contract, and medical record it ever processed. Secure those devices, or they become the weakest link nobody is watching. It is one reason print and device security sits inside a serious cybersecurity plan.

Two external resources are worth bookmarking. The federal CISA cybersecurity best practices hub gives plain-language guidance for smaller teams. And the NIST Cybersecurity Framework offers the structured roadmap many state safe harbors point to directly.

How We Help

How 1800 Office Solutions Helps

We are not a law firm, and we will not file your lawsuit. What we do is sit on the prevention side, helping South Florida businesses build the kind of documented security to keep them out of court in the first place. Here is where we plug in.

Managed Cybersecurity

Monitoring, threat detection, and response tuned for small and midsize Florida offices.

Data Encryption

Encryption across devices and document flows, the control able to trigger FIPA’s safe harbor.

Secure Print & Copy

Locking down the hard drives inside copiers and scanners so stored images never leak.

Staff Training

Phishing awareness and simple habits that stop the clicks behind most breaches.

Compliance Support

Aligning your setup with NIST guidance and Florida notification rules.

Incident Readiness

Response planning so a discovered breach never blows past the 30-day notice window.

Want a clear look at where your gaps are? A short conversation with 1800 Office Solutions can map your current exposure and the fixes worth doing first. You can start with a quick consultation or read more on our approach to printer and document security.

FAQ

Frequently Asked Questions

Can you sue a company for a data breach?

Yes. You can sue a company for a data breach when its failure to protect your information caused you harm. Most cases proceed as class actions based on negligence, breach of contract, or a state privacy statute. Success usually turns on showing a concrete injury, such as fraud or money spent on monitoring.

Do I need to show actual financial loss to sue?

Often, yes, though it varies by court. Some judges accept a heightened risk of future identity theft as enough to proceed. Others require a present, measurable injury before a case moves forward. The split between federal circuits is real, so the same facts can land differently depending on where you file.

How much money can I get from a data breach lawsuit?

It ranges widely. Class action payouts per person can run from a few dollars to a few hundred. A strong individual case with documented fraud or identity theft can recover far more. The final number depends on the data exposed, the harm proven, and the settlement terms.

What is the difference between a class action and an individual suit?

A class action groups many people with similar small losses into one case, with low effort and a modest per-person payout. An individual suit fits someone with large, provable losses who wants more control and a potentially bigger recovery. Accepting a class settlement usually waives your right to sue on your own.

How long do I have to file a data breach claim?

The window varies by state and by the type of claim, commonly running from one to several years after the breach is discovered. Because the clock differs by statute, anyone considering a claim should check their state’s limits early. Waiting too long can close the door entirely.

What does the Florida Information Protection Act require?

FIPA requires businesses to notify affected Florida residents in writing within 30 days of discovering a breach of unencrypted personal data. Breaches affecting 500 or more residents also require notice to the state. Properly encrypted data generally falls under a safe harbor, so the notice trigger may not apply.

Can a small business be sued for a data breach?

Yes. Under laws like Florida’s FIPA, a small shop is held to the same standard as a large corporation. Size offers no exemption. And because small firms often carry thinner security budgets, they can face outsized risk from a single incident.

Does encryption really protect a company from liability?

It helps significantly. Florida and several other states treat properly encrypted data as a safe harbor, meaning a breach of that data may not trigger notification duties. Encryption does not erase every risk. But it is one of the few controls written directly into the law as protection.

What should a business do right after discovering a breach?

Move fast. Contain the incident, document everything, and start the notification clock, which runs just 30 days in Florida. Bring in technical and legal help early, and tell affected people clearly. A prepared incident response plan turns a chaotic scramble into a controlled process.

How can 1800 Office Solutions reduce my breach risk?

We focus on prevention for South Florida businesses: managed cybersecurity, data encryption, secure print and copy controls, staff training, and compliance support aligned to NIST guidance. The goal is a documented, reasonable security posture that lowers both your breach odds and your legal exposure. Reach out for a consultation to find your gaps.

Is suing the only option after a breach?

No. Many people freeze their credit, enroll in monitoring, and file claims in existing class actions instead of launching a solo suit. Litigation is one tool among several. For larger documented losses, though, an individual case can be worth the effort.

Protect Your Business Before a Breach Becomes a Lawsuit

1800 Office Solutions helps Miami and South Florida companies build real, documented cybersecurity. Your One Source For Everything Office.

1-800-346-4679

GET A FREE CONSULTATION

Subscribe

Get one short email each Wednesday.

Top three new posts plus one practical tip our field team learned that week. Read in five minutes. Unsubscribe in one click.

One-click unsubscribe · never sold or shared