Cybersecurity Litigation

Cybersecurity lawsuits typically seek compensation after individuals or organizations suffer harm from a data breach or other data systems issue. As the world becomes ever more interconnected, data breaches and resulting harms will continue to drive cybersecurity litigation.

Common Causes of Cybersecurity Lawsuits

“Cybersecurity lawsuits” is a large category, encompassing a range of issues related to data sharing and storage, data encryption, and both hardware and software protections.

To date, most cybersecurity litigation claims fall under one of two headings: data breaches and corporate liability.

Data Breaches

Data repositories are a popular target for cyberattacks. Collections of personal identifying information (PII), including names, addresses, and Social Security and credit card numbers, offer opportunities for mass-scale identity theft. Consequently, many recent cybersecurity cases have focused on data breaches.

Data breaches frequently beget class action lawsuits. Consumers whose information is breached face similar harm from the same event or events and typically seek similar remedies.

Corporate Liability

To address harm from cyberattacks, federal, state, and some local lawmakers have enacted cybersecurity laws and standards. Companies that fail to adhere to these standards risk facing corporate liability if their failure is exploited in a cyberattack. Many cybersecurity lawsuits, including those that focus on data breaches, rest on a theory of corporate liability.

Early Case Studies in Cybersecurity Litigation

Over the past decade, landmark cybersecurity lawsuits have begun shaping this area of law. Key cases include:

• Target Data: In 2013, Target suffered a data breach that stole 70 million customer records and 40 million credit/debit records. The company paid an $18.5 million settlement. Customers’ loss of faith in the company’s security reverberated for years, affecting Target’s brand and bottom line.
• 23andMe: Genetics testing company 23andMe faced a data leak that exposed personal information of 7 million customers. In 2024, 23andMe agreed to pay a $30 million settlement.
• Equifax: In September 2017, Equifax announced a data breach had exposed approximately 147 million customers’ personal financial information. The resulting $425 million settlement is among the largest ever recorded in a cybersecurity case to date.
• Delta Airlines: A 2024 CrowdStrike tech glitch caused outages at Delta Airlines and other businesses worldwide. In October 2024, Delta sued CrowdStrike, claiming CrowdStrike’s negligence had caused the outage, resulting in thousands of canceled flights and millions in lost revenue and expenses to the airline.

Subsequent cases will continue to refine points raised in these early claims and to explore new legal questions.

Litigation Processes in Cybersecurity Lawsuits

Broadly, litigation processes in cybersecurity lawsuits follow settled practices for civil procedure. In practice, certain points within this process receive greater emphasis. Emerging patterns in cybersecurity litigation processes include:

• Pre-trial procedures: Cybersecurity litigation is a developing area of law, with many unknowns. Consequently, many parties have emphasized pre-filing negotiations and demand letters as a way to address issues before entering the litigation process.
• Trial vs. settlement: To date, most large cybersecurity cases have reached settlement before trial. The spate of unanswered questions in this area tends to encourage parties to settle rather than risk a loss at trial.
• Privilege and Confidentiality: Many cybersecurity cases focus on data breaches. Because PII lies at the heart of the case, strong controls for privileged communications are a must. Often, parties and their counsel find themselves learning best practices in data protection to manage information properly during the case, as well as to discuss issues of negligence or noncompliance.

The Delta v. CrowdStrike case demonstrates a turn away from cybersecurity as a purely class action, consumer-driven matter. As more companies seek compensation from one another, points of procedural emphasis may change as well.

Challenges in Cybersecurity Litigation

Cybersecurity litigation also raises certain substantive and procedural challenges. Common challenges in these cases include:

• Standing: Demonstrating “actual or imminent harm” can be challenging for plaintiffs, particularly when most people may never know their personal information was compromised.
• Negligence: The law regarding duty of care and breach thereof is still developing in cases of cybersecurity information breaches and other digital issues. Demonstrating cause in fact or proximate cause can also prove challenging.
• Class Action Issues: Some cases, such as the Equifax case, involve millions of plaintiffs. Managing a class of this size, which can span every US state and territory, can pose significant challenges related to information management, choice of venue and jurisdiction, coordination of attorney efforts, and more.

As cybersecurity litigation diversifies, additional challenges are likely to arise.

Legal Trends and Future Outlook

Cybersecurity law is developing in a rapidly-changing context. While courts and the public are only beginning to understand the complexities of PII breaches, ransomware attacks have increased, posing a new avenue for litigation and legal questions. A need to reconcile conflicting decisions at the trial level will also increase the volume of cases heading to courts of appeals. As legislators attempt to address cybersecurity, compliance with statutory and regulatory demands will shape questions of fault as well.

Recent years demonstrate a rising trend of cybersecurity breaches leading to litigation. This trend is likely to continue, embracing new forms of cyber attacks and new methods to prevent and remediate these attacks.