Your personal information is sitting in a database managed by a company that just told you it was compromised. A credit card number, a Social Security number, medical records -- whatever the specifics, it is out there now.
The breach notification email is vague. The company offers you a year of free credit monitoring. And you are left wondering: can you sue a company for a data breach?
Yes, you can. But whether you have a viable lawsuit depends on what happened, what harm you suffered, and which laws apply. This guide breaks it down.
Not every data breach leads to a successful lawsuit. To bring a claim, you generally need three things: standing, a legal theory, and damages.
Standing is the threshold issue. Federal courts require you to show an "injury in fact" -- something concrete, not just the possibility that your data might be misused someday. After the Supreme Court's 2021 decision in TransUnion LLC v. Ramirez, this requirement has real teeth. If your stolen data has been used for identity theft or fraudulent charges, you have standing. If your data was exposed but nothing has happened yet, standing is harder to establish in federal court -- though many state courts are more flexible.
Negligence is the most common legal theory. The company had a duty to protect your data, it failed to implement reasonable security measures, and that failure caused your harm. Courts increasingly recognize that companies holding sensitive personal information owe a duty of care to the people whose data they store.
Breach of contract applies when the company's privacy policy or terms of service promised to protect your information and failed to do so. The privacy policy becomes a contractual obligation -- and breaking it gives you a claim.
Statutory violations are often the strongest path. Several state and federal laws create specific data security obligations. When a company violates them, the statute itself may give you the right to sue.
If you are suing for negligence -- the most common data breach claim -- here is what you need to establish.
Duty of care. The company had a legal obligation to safeguard your personal information. Industry standards, regulatory requirements, and even the company's own privacy policies help establish what that duty looked like.
Breach of that duty. The company failed to meet reasonable security standards. Maybe it stored passwords in plain text, ignored known vulnerabilities for months, or never encrypted sensitive data. Forensic evidence from the breach investigation typically reveals where the company fell short.
Causation. The company's security failures -- not some other event -- caused your data to be compromised.
Damages. You suffered actual, measurable harm. This includes unauthorized charges, costs of credit monitoring and identity repair, lost time, and emotional distress. The damages element is where many data breach cases get difficult, because courts want more than anxiety about potential future misuse.
Several federal laws set data protection standards, though not all give individuals a direct right to sue.
HIPAA establishes strict security requirements for healthcare providers and their business associates. There is no private right of action under HIPAA -- you cannot sue directly under it. But HIPAA violations are powerful evidence of negligence. If a provider violated HIPAA standards and your medical data was breached, those violations establish the standard of care the provider failed to meet.
The FTC Act prohibits unfair or deceptive practices, including misleading claims about data security. Private individuals cannot sue under the FTC Act directly, but FTC enforcement actions and consent decrees strengthen private negligence and state law claims.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to implement information security programs. If your bank or financial services provider suffered a breach, GLBA violations can support your claim.
State laws are where data breach plaintiffs often find the most traction.
The Connecticut Data Privacy Act (CTDPA), effective since 2023, gives Connecticut residents rights over their personal data -- including the right to know what a company collects, the right to delete it, and the right to opt out of data sales. Enforcement runs through the Attorney General's office rather than private lawsuits, but a company's failure to comply with CTDPA obligations is strong evidence of negligence in a private data breach suit.
Connecticut's data breach notification statute (CGS Section 36a-701b) requires businesses to notify affected individuals promptly after discovering a breach. Failure to provide timely notification increases a company's legal exposure and supports negligence claims.
California's CCPA and CPRA include a private right of action for data breaches. If a California resident's unencrypted personal information is compromised due to a business's failure to implement reasonable security, the resident can sue for statutory damages of $100 to $750 per incident -- without proving actual financial loss. That per-person figure is why California data breach class actions draw so much attention.
Other states including Colorado, Virginia, and Texas have passed comprehensive privacy laws, each with its own enforcement mechanisms.
When a data breach affects millions of people, a class action is typically the path forward. Class actions pool claims, share litigation costs, and create collective pressure to force meaningful settlements. Recent settlements have reached historic levels -- Equifax exceeded $700 million, T-Mobile agreed to $350 million, and UnitedHealth's 2024 breach affecting over 100 million people is generating litigation that could dwarf both.
But class actions are not always the best option. Individual lawsuits make more sense when your damages are substantial -- significant identity theft, large financial losses, or harm that goes beyond what a class settlement would compensate. If you lost $50,000 to identity fraud traced to a specific breach, your individual claim is worth far more than the $25 to $100 per person typical in class settlements.
A business attorney experienced in data privacy litigation can evaluate whether joining a class or pursuing your own claim is the stronger move.
Data breach litigation cuts both ways. If your company experienced a breach, you need a defense strategy immediately.
Notification requirements come first. Connecticut law requires businesses to notify affected individuals and the Attorney General's office without unreasonable delay. Many states have specific timelines -- some as short as 30 days. Missing these deadlines creates additional liability.
Preserve everything. Do not destroy logs, communications, or forensic evidence. Litigation holds should go into effect immediately. Spoliation of evidence turns a defensible case into a disaster.
Engage forensic experts. Understand exactly what happened, what data was accessed, and how to contain the breach. This investigation builds the factual record you will rely on in litigation or regulatory inquiries.
Review your insurance. Cyber liability policies may cover response costs, notification expenses, legal defense, and regulatory fines. If you do not have cyber insurance, that is a conversation to have with your small business attorney now rather than after an incident.
Small businesses are particularly vulnerable. Industry data shows that roughly 60 percent of small businesses that suffer a significant breach close within six months. The combination of response costs, legal exposure, and lost customer trust can be devastating for companies without Fortune 500 resources.
The data breach landscape has shifted dramatically, and 2026 is accelerating every trend.
Record breach volume. The AT&T breach exposed records of nearly all its wireless customers. UnitedHealth/Change Healthcare compromised over 100 million medical records. The MOVEit vulnerability created a supply chain breach affecting thousands of organizations. These incidents generated a wave of litigation still working through the courts.
Expanding state laws. More than a dozen states now have comprehensive privacy legislation. Connecticut's Attorney General has been active in data privacy enforcement, and more investigations are expected as the CTDPA matures.
Aggressive FTC enforcement. The FTC has pursued actions against companies of all sizes for deceptive data practices and inadequate security. Regulatory action often triggers follow-on private litigation.
AI-powered attacks. AI tools have made phishing campaigns more convincing, vulnerability exploitation faster, and attack surfaces broader. Courts are beginning to raise the standard of care expected from companies in response. Companies that have navigated data privacy compliance for SaaS products are better positioned, but the ground is shifting fast.
Whether your personal data was compromised or your business is dealing with a breach, the legal issues are too significant to navigate alone. Timelines are short, preservation obligations are immediate, and the difference between a strong and weak position often comes down to the first 48 hours.
Turley Law PLLC advises clients on both sides of data breach matters. We understand the technical and legal dimensions because data privacy and technology law are core to our practice.
Schedule a consultation to discuss your situation with a Connecticut business attorney who understands data privacy law.
Attorney Advertising. Prior results do not guarantee a similar outcome.
Schedule a free consultation to discuss how this applies to your business.