
Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partners Jerry Maatman and Jennifer Riley, special counsel Justin Donoho, and associate Ryan Garippo with their discussion of the key trends analyzed in the 2025 edition of the Duane Morris Data Breach Class Action Review, including the contributing factors in the exponential growth of data breach class action filings, the sophistication of the plaintiffs’ bar litigation theories, and the chart-topping settlements in this area.
Bookmark or download the Data Breach Class Action Review e-book here, which is fully searchable and accessible from any device.
Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Samsung Podcasts, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, and YouTube.
Episode Transcript
Jerry Maatman: Welcome all our loyal listeners and blog readers. Thank you for being here on our weekly podcast, the Class Action Weekly Wire. I’m, Jerry Maatman of Duane Morris, and joining me today are my colleagues, Jen, Justin, and Ryan. Thanks so much for being on this particular podcast.
Jennifer Riley: Thank you, Jerry. Happy to be part of the podcast today.
Justin Donoho: Thanks, Jerry. Glad to be here.
Ryan Garippo: Thanks for having me, Jerry.
Jerry: Today in the podcast we’re discussing the publication of this year’s Duane Morris Data Breach Class Action Review and desk reference designed for our clients to give them the latest, greatest information on the cutting-edge issues in the world of data breach class action. Listeners can find the e-book publication on our blog, the Duane Morris Class Action Defense blog. Jen, can you share with our listeners a bit about this desk reference and publication?
Jennifer: Absolutely, Jerry. The volume of data breach class actions exploded in 2024. Data breach has emerged as one of the fastest growing areas of class action litigation. The Review contains an overview of these filing numbers as well as settlements as well as some of the key decisions in this area. So, in sum, courts continue to reach inconsistent outcomes on issues such as standing and uninjured class members, those issues that are uniquely challenging in the data breach space. The Review has dozens of contributors, and it reflects really the collective experience and expertise of our class action defense group.
Jerry: I think it used to be, people thought whenever there was a drop in the stock following a company announcement, as sure as the sun rises in the east and sets in the west every day, there’d be a securities fraud class action lawsuit being filed. That seems to be the case now, when there’s a data breach incident, a data breach class action follows in its wake. Justin, can you shed some light on why this particular cause of action in this particular space has been growing incrementally over the last 36 months?
Justin: Absolutely. I mean, the frequency of the data breaches have been increasing, which is a huge part, and of course, with that comes heightened attention from both consumers and the plaintiffs’ bar. High profile cases, such as that multidistrict litigation arising from the Marriott International breach that affected over 133 million people, for example. There’s the MOVEIt MDL, which is another big one that got going last year. These have all put companies on notice that failure to secure personal data can lead to costly litigation. Cost lawsuits are not just about the breach itself, it’s also about the aftermath. So, consumers are now more aware of the risks and more inclined to seek legal recourse when their data is compromised.
Jerry: I think this is a great area where the notion that the law is trailing behind technology and can’t keep up with it – may well explain some of the developments in this particular space from a cybersecurity perspective. How do you think the increasing frequency of these sorts of events, and the sophistication of cyber criminals, is playing out in the class action space?
Ryan: Well, the rise in cyberattacks is definitely a huge factor. We’re seeing more sophisticated tactics from cybercriminals. Ransomware is at least one prime example – hackers demand payments in exchange for not publishing or further exploiting stolen data. The issue is that paying the ransom doesn’t necessarily guarantee the safe return or the deletion of the data, which makes these incidents devastating for companies. Additionally, I think we’ve seen as there’s been a shift to remote work and cloud-based infrastructure, that more vulnerabilities are exposed which ultimately increases the frequency of breaches. As a result, I think we’re seeing more lawsuits following these incidents and plaintiffs’ attorneys are more eager to capitalize on the growing number of affected individuals.
Jerry: In the last two weeks, the U.S. Supreme Court has accepted a case for review on the issue of uninjured class members, and whether or not their presence is something that can be used by a defendant to stop class certification. And one of the things we’ve seen in the last few years in the data breach area is the lack of injury or no injury-in-fact, as the Supreme Court has articulated that in TransUnion v. Ramirez. Jen, what do you see in terms of what plaintiffs are doing to try and come up with theories, at least from a financial damage or injury standpoint, that companies are now facing in what I would call data breach litigation 2.0?
Jennifer: Well, Jerry, I think several factors are really contributing to the rise of the popularity of these lawsuits. First, I think the sheer volume of people affected by these breaches has ballooned. Especially with breaches impacting millions of consumers or employees. As the size of these cases increases, I think it naturally leads to higher settlement amounts which in turn are attracting more plaintiffs’ lawyers to this area. Additionally, I think the type of data being compromised is becoming more sensitive – financial and healthcare information, for example – are leading to additional claims and higher potential damages and are leading plaintiffs’ attorneys to become more creative in looking for ways to monetize, capitalize on these breaches in terms of converting them into settlement dollars.
Justin: Yes, absolutely. And some courts are also becoming more sympathetic to plaintiffs in these cases, and to the potential long-term consequences of data breaches to plaintiffs, even where immediate harm is not apparent. So, it’ll be interesting to see where that Supreme Court case plays out. And let’s not forget about the legal fees and the expert fees also contributing to some of these large settlement dollars. As these cases become more complex with issues like class certification and determining damages, and the reasonableness of the cybersecurity, the costs involved in litigating these lawsuits are skyrocketing.
Jerry: You mentioned class certification – certainly the plaintiffs’ bar their theory is file the case, certify the case, then monetize the case, and the statistical study within the desk reference talks about the rise in class certification to 40%. Still a low number, but significantly up from 16% in calendar year 2023. What do you attribute to the trend that’s showing an upward number and a more of a chance for the plaintiffs’ bar to certify their data breach class actions?

Ryan: Well, like we mentioned before, I think it’s reflective of the fact that plaintiffs’ counsel has gotten more sophisticated in this space, and courts are getting more sympathetic to the plaintiffs at issue. But that said, class certification is still a major hurdle in any class action. And it’s particularly challenging in data breach cases. The increased success rate for class certification in the data breach space is 40% in 2024, reflecting that evolving legal precedent. Courts are now more inclined to accept the argument that consumers have suffered harm, even if their data hasn’t been directly misused, and that the mere recognition of an indirect harm, such as the increased risk of identity, theft, or emotional dispute or emotional distress, is enough to allow plaintiffs to get into court and overcome this clear obstacle.
Jerry: Jen, what were some of the major data breach litigation markers in the federal courts this year, by your way of thinking?
Jennifer: Well, Jerry, great question. We discuss in the Review some of the largest ones. Certainly, one of the prime examples is the ongoing MOVEIt Customer Data Breach Litigation. That litigation that began back in 2023 continued throughout 2024, and is ongoing. In that one, the Judicial Panel on Multidistrict Litigation consolidated more than 200 class action lawsuits. Those lawsuits resulted from a Russian cybergang hacking the file transfer software MOVEIt. The Judicial Panel on Multidistrict Litigation transferred those proceedings after consolidating them to the U.S. District Court for the District of Massachusetts. The plaintiffs in that case, as I mentioned, alleged that this vulnerability in the Massachusetts-based company MOVEIt, a transfer file software, was exploited. That data breach is considered to be the largest hack of 2023. According to the Panel’s initial transfer order, it exposed personally identifiable information of more than 55 million people. So, as I mentioned, that proceeding is ongoing. In July 2024, the Transferee Court issued an order adopting a modified bellwether structure in which it ordered the plaintiffs to file up to six consolidated amended complaints, and it ordered the parties to meet confer on the defendants to be named in each of those. The plaintiffs are going to file their motions for class certification, according to the schedule at least, in the summer of 2025. So, lots to be done in those cases yet.
Jerry: Well, it seems to me that data breach litigation, especially in the class action arena, is a problem or a fear that keeps corporate counsel up at night, and some of the top settlements in this space in 2024 maybe fuel that fear. What were some of the key and highest class action settlements in the data breach case, despite the fact that certification hovered around 40%?

The largest data breach class action settlement in 2024 was $350 million in In Re Alphabet Inc. Securities Litigation, Case No. 18-CV-6245 (N.D. Cal. Sept. 30, 2024), in which the court granted final settlement approval in a class action alleging that a software glitch led to a data breach in which Google+ users’ personal data was exposed for three years.
Justin: Yes, Jerry. Plaintiffs did very well in securing high dollar settlements last year, with the top 10 settlements totaling $593.2 million dollars. This was a significant increase over 2023 when the top 10 totaled $515 million – so they keep going up, too.
Jerry: Well, my prognostication is the 2025 numbers are going to go up and even exceed those chart-toppers in the next 12 months. In terms of final parting thoughts for our loyal listeners, what are some of the takeaways and key points that our listeners and readers should keep in mind for data breach issues in 2025?
Ryan: Invest in strong cybersecurity measures – it’s essential to stay out of the game in this space and constantly involve your cybersecurity infrastructure against these emerging threats. But beyond that, companies should also have a well-designated incident response plan in place and make sure that it’s regularly tested. This helps ensure not only quicker recovery, but also a stronger defense in court if a breach ever occurs. This legal landscape is evolving, and data breaches are no longer niche; they’re becoming an expected part of the litigation landscape, and so, having a proactive and comprehensive approach can help mitigate the immediate and long-term costs, and help keep you out of those $500 million numbers that Jerry and Justin mentioned before.
Jerry: Well, thanks, Jen, Justin, and Ryan, for your thought leadership and your analysis of this particular area. Loyal listeners, please stop by our blog and website to download for free our e-book, Data Breach Class Action Review – 2025. Thanks so much everyone for lending your expertise today on our Class Action Weekly Wire podcast.
Ryan: Thanks, Jerry.
Justin: Thanks for having me and thank you, listeners.
Jennifer: Thanks so much, everyone. See you next week.