Personal injury lawyers increasingly chase data-breach suits
- SCCLR Newsletter
- Sep 3
- 4 min read
By: Angus Loten
A growing number of personal injury lawyers are adding data-breach lawsuits to caseloads, alongside traffic accidents, medical malpractice and dog bites.
The upswing is being fueled by a surge in cyberattacks, as hackers become more sophisticated at breaking into business systems with an ever-increasing cache of customer data. Driven by the rise of AI-powered phishing attacks, U.S. companies reported over 1,700 data breaches in the first half of 2025, compared with a full-year total of 3,155 breaches reported in 2024, according to the Identity Theft Resource Center. So far this year, companies have issued more than 165 million individual victim notifications, the nonprofit research firm said.
The deluge has personal injury law firms chasing plaintiffs within hours of a company’s data-breach notification, taking to Facebook, TikTok and other social-media platforms, lawyers and cybersecurity experts said. To get ahead of the pack, many new data-breach lawyers are equipped with online cyberattack alerts, customizable ad templates and ready-made legal paperwork, they said.
“Lawyers are an opportunistic bunch,” Thomas Loeser, a partner at Cotchett, Pitre & McCarthy, said about the rush to file lawsuits after companies issue a data-breach notification. “We have seen a tremendous increase in firms that take on data-breach cases,” he said, citing firms that file six to seven cases a week.
Last year, U.S. lawyers filed 1,488 class-action lawsuits related to data breaches, up from 1,320 in 2023 and just 604 in 2022, according to law firm Duane Morris.
Car accidents and medical malpractice remain the two biggest moneymakers for the more than 50,000 personal injury law firms across the U.S., according to research firm IBISWorld. But data breaches are one of the fastest-growing areas of class action litigation, said James Turgal, vice president of global cyber advisory, risk and board relations at Optiv, a cyber advisory firm.
Lawyers are tallying big wins. AT&T in June reached a $177 million preliminary settlement with customers caught up in a pair of data breaches disclosed last year. The telecom giant faced a flood of personal and class-action suits after notifying customers about the attacks, including a breach that enabled hackers to download call and text-message information from nearly all of its 90 million wireless subscribers. The court’s final approval is expected in December.
Other recent class-action data-breach lawsuits include MGM Resorts, which in June settled for $45 million, and Neiman Marcus, which in May settled for $3.5 million.
Early settlements can help companies avoid costly, drawn-out legal battles that can leave lasting reputational damage. But they can also drain cyber insurance funds meant to shore up a company’s data safeguards, said Megan Silverman, vice president of cyber solutions at Integreon, a firm that provides legal, business and creative services to global companies.
“Instead of investing those dollars in stronger data protections, much of the money is now flowing to plaintiffs’ attorneys and their clients,” Silverman said.
Companies operating with “truly egregious practices”—like not having multifactor authentication or relying on shared standardized passwords—are fair game for plaintiffs, Silverman said. But companies that follow accepted cybersecurity practices and still get breached shouldn’t be facing lawsuits, she said: “Anyone can be breached if the threat actors try hard and long enough.”
Craig Hoffman, partner and co-leader of Baker & Hostetler’s Digital Risk Advisory and Cybersecurity team, said over the past few years the likelihood of a company getting hit with at least one class-action lawsuit after disclosing a security incident has jumped.
In the past five years, he said, Baker & Hostetler has led clients through roughly 1,250 data breaches every year, resulting in about 500 situations that require notification per local, federal or industry regulations. Last year, more than 50 notices sparked lawsuits, compared with just 20 in 2020, Hoffman said.
“If you go back five to 10 years, you would normally only expect a lawsuit if you were notifying hundreds of thousands or millions of people,” Hoffman said. Today, data-breach lawsuits can involve 1,000 or fewer individuals, he said.
The sheer number of law firms vying for a piece of a data-breach case can bog down the legal process. “It’s such a crowded space now,” said Amina Thomas, partner on the class-action team at CohenMalad, an Indiana-based law firm that has handled data-breach suits for nearly a decade. More than a half-dozen attorneys with their own plaintiffs can battle to lead the same case, adding weeks and even months to proceedings.
In cases involving large companies or widespread leaks, multiple law firms often file their own unique lawsuits and compete with each other to lead a case, said Cotchett, Pitre & McCarthy’s Loeser. “It does make it harder,” he said.
Loeser, a former federal cyber prosecutor, is one of 10 lawyers appointed to the leadership of the AT&T lawsuit.
It used to be that taking on a data-breach case was risky and expensive, he said: “There are now firms that have a volume practice.”
Corrections & Amplifications: U.S. companies reported more than 1,700 data breaches in the first half of 2025, compared with a full-year total of 3,155 reported in 2024. An earlier version of this article incorrectly said the number of data breaches in the first half of 2025 was more than double the full-year total for 2024. (Corrected on Sept. 3)
PHOTO: GETTY IMAGES/ISTOCKPHOTO
