By Gerald L. Maatman, Jr., and Jennifer A. Riley
Duane Morris Takeaway: Data privacy class action filings continued to expand in 2025, marking it as one of the fastest growing areas in the complex litigation space. Plaintiffs filed approximately 1,822 data privacy class actions in 2025. This represents an average of more than 150 fillings per month and more than seven filings per business day. These numbers reflect growth of more than 18% over the number of data breach class actions filed in 2024 and growth of more than 200% over the number of data breach class actions filed just three years ago in 2022.
Watch Review co-editor Jennifer Riley as she explains this trend in more detail below:
In 2025, courts also granted motions to dismiss these complaints at increasingly high rates, leading to many dismissals, many pre-ruling settlements, and few rulings on motions for class certification. Indeed, despite the significant increase in filings, courts issued few – only three – rulings on motions for class certification in 2025, suggesting that many motions are in the pipeline or that cases are increasingly resolved prior to class certification through dismissal or settlement.
- Filing Numbers Continued Their Upward Trajectory
The volume of data breach class actions continued to expand in 2025 as data breach solidified its spot among the fastest growing areas of class action litigation. After every major (and even not-so-major) report of a data breach, companies should expect the negative publicity to prompt one or more class action lawsuits. These suits saddle companies with the significant costs of responding to the data breach as well as the costs of dealing with the resulting high-stakes class action lawsuits, often on multiple fronts.
Companies that were unfortunate enough to fall victim to data breaches in 2025 faced class actions at an increasing rate. In 2025, plaintiffs filed approximately 1,822 data privacy class actions, which represents a 18% increase over 2024. In 2024, plaintiffs filed 1,488 data privacy class actions, compared with 1,320 in 2023, and 604 in 2022.
As the graphic depicts, the growth of filings in the data breach area has been extraordinary, from 109 class action filings in 2018 to 1,822 class action filings in 2025, an increase of more than 1,613% in seven years.
Several factors are likely continuing to fuel this growth in data breach class actions. First, data breaches have continued to increase at a rate that roughly tracks the shape of the curve depicted above. Second, whereas defendants have achieved success in the courthouse, recent court decisions have provided a better roadmap for plaintiffs to attempt to escape dismissal with some portion of their complaint intact. Third, and most importantly, hefty settlements have continued to fuel filings. Observing the difficulty that plaintiffs have faced attempting to certify data breach class actions, plaintiffs are increasingly incentivized to file and then monetize their data breach claims early in the litigation, prior to reaching that crucial juncture, while their investment remains low.
So long as defendants continue to play ball on the settlement front, we are likely to continue to see even low settlement payouts continue to lure plaintiffs to this space and fuel those filing numbers.
- Plaintiffs Continued To Face Hurdles In The Courthouse
Data breach plaintiffs continued to face hurdles in the courthouse in 2025. In 2025, federal courts issued substantive rulings on 222 motions to dismiss that they granted, granted in part, or denied. In those rulings, courts granted 150 motions to dismiss in whole or in part, and denied 72 of those motions, representing a success rate for defendants of 67.5%. Contrasting those results with 2024, in 2024, federal courts issued rulings on 265 motions to dismiss that they granted, granted in part, or denied. In those rulings, courts granted 171 motions to dismiss in whole or in part, and denied 94 of those motions, representing a success rate for defendants of 64.5%. Considering the increasing filing numbers, this suggests that defendants attacked the pleadings in a lower percentage of matters in 2025, or that a lower percentage of cases made it to the motion to dismiss stage.
In terms of the 150 favorable rulings for defendants in 2025, courts granted dismissal in 81 matters and granted dismissal in part in 69 matters. Thus, of the 150 rulings favoring defendants, 54% of those favorable rulings dismissed complaints in their entirety, often for lack of standing as discussed below. Defendants fared slightly better in 2025 than in 2024 in terms of gaining full dismissals. In 2024, courts issued 171 favorable rulings for defendants, granted dismissal in 103 matters and granted dismissal in part in 68 matters, meaning that, of the 171 rulings favoring defendants in 2024, 60% of those favorable rulings dismissed complaints in their entirety.
In terms of full dismissals, many of the decisions granting such motions addressed the issue of standing. The U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez, 141 S.Ct. 2190 (2021), continues to fuel a fundamental threshold challenge in terms of whether a plaintiff can show that he or she suffered a concrete injury such that he or she has standing to sue. In TransUnion, the Supreme Court ruled that certain putative class members, who did not have their credit reports shared with third parties, did not suffer concrete harm and, therefore, lacked standing to sue. Since the TransUnion decision, standing has emerged as a key defense to data breach litigation because the plaintiffs often have difficulty demonstrating that they suffered concrete harm.
Courts have handed down a kaleidoscope of decisions on the issue of standing. For instance, some courts have found that mere public disclosure of private facts is sufficiently “concrete” enough for an injury to establish standing, whereas others have required allegations showing harm from misuse of the plaintiffs’ data. Decisions on motions to dismiss data breach class actions often turn on the sensitivity and level of exposure of the information involved, as well as plaintiffs’ ability to plausibly allege a credible risk of future harm, a duty to protect confidentiality of information, and many other specifics relevant to a large number various common law and statutory theories asserted by plaintiffs, who often file multiple claims, and sometimes file dozens of claims under dozens of theories in data breach class actions, in the hopes of finding one that will stick.
In Teague, et al. v. AGC America, Inc., 2025 U.S. Dist. LEXIS 102564 (N.D. Ga. Jan. 6, 2025), for instance, the plaintiff filed a class action alleging that the defendant failed to adequately safeguard personal information, resulting in a data breach. The plaintiff claimed that the breach exposed the PII of more than 20,000 individuals, which subsequently was accessed by cybercriminals. The defendant moved to dismiss, arguing that the plaintiff failed to show actual losses or a causal connection between the breach and his alleged injuries. The court, however, held that the plaintiff had standing to sue because he demonstrated a substantial risk of future harm resulting from the data breach. The court reasoned that the plaintiff’s allegations of misuse of his PII by criminals and the immutable nature of the information were sufficient for standing.
In Dougherty, et al. v. Bojangles’ Restaurants, Inc., 2025 U.S. Dist. LEXIS 194879 (W.D.N.C. Sept. 30, 2025), by contrast, the court dismissed a putative class action arising from a 2024 cyberattack against Bojangles. A group of former employees alleged negligence and violations of North Carolina tort and consumer protection laws, claiming emotional distress, privacy loss, and risk of identity theft. The court held that plaintiffs failed to allege a concrete injury sufficient for Article III standing. Eight of the nine plaintiffs based their claims solely on a speculative risk of future harm – such as potential sale of data on the dark web, increased spam calls, and time spent on mitigation – without a showing of any actual misuse. The lone plaintiff alleging fraudulent debit card charges failed to establish traceability, as he did not claim to have provided his card information to Bojangles.
Plaintiffs who clear the standing hurdle face another key inflection point at the class certification phase. Despite the robust filing activity, in 2025 courts issued few decisions on motions for class certification. In 2025, courts ruled on only three motions for class certification in the data breach area, and plaintiffs prevailed on one, for a success rate of 33%. Similarly, in 2024, courts ruled on only five motions for class certification in the data breach area, and plaintiffs prevailed on two, for a success rate of 40%. By comparison, in 2023, courts issued seven rulings on motions for class certification, and plaintiff prevailed on one, for a success rate of 14%. Given the volume of filings, these numbers suggest that hundreds of motions remain in the pipeline or that, observing the difficulty that plaintiffs have faced in certifying data breach such cases over the past three years, plaintiffs are electing to monetize their data breach claims prior to reaching that crucial juncture.
The court’s ruling in Theus, et al. v. Brinker International Inc., 2025 U.S. Dist. LEXIS 122165 (M.D. Fla. June 27, 2025), is illustrative. The plaintiff filed a class action against the defendant, Chili’s parent company Brinker International, Inc., alleging that hackers stole customers’ credit and debit card information and posted it for sale on a dark web marketplace called Joker’s Stash. The plaintiff filed a motion for class certification on behalf of all affected customers across the United States. The district court certified a class that included individuals who shopped at affected Chili’s locations during March and April 2018, had their data accessed by cybercriminals, and incurred expenses or time mitigating the consequences. However, Brinker appealed, and the Eleventh Circuit vacated the district court’s ruling. On appeal, the Eleventh Circuit reasoned that the phrase “data accessed by cybercriminals” was too broad and could include uninjured individuals. Id. at *4. The Eleventh Circuit ordered the district court to either revise the class definition to include only those who experienced fraudulent charges or had data posted on the dark web, or to reassess the original definition while recognizing it might contain uninjured members. On remand, the plaintiff initially proposed a narrower class definition but ultimately deferred to the Eleventh Circuit’s directive, which refined the class to include only those who: (i) experienced fraudulent charges or had their data posted on the dark web due to the breach; and (ii) spent time or money mitigating those consequences. Despite this refinement, the district court denied class certification. The district court found individualized questions, such as whether someone’s data was compromised, what expenses he or she incurred, or whether his or her card was ever posted or misused, would require case-by-case analysis. The district court ruled that proving the individualized issues would require “a great deal of individualized proof,” making the case unsuitable for class certification. Id. at *11.
In sum, while filing numbers continue to climb, the number of rulings on key phases of data breach class actions is continuing to decline. Observing the difficulty that plaintiffs have faced overcoming motions to dismiss and certifying such cases over the past three years, plaintiffs are increasingly incentivized to monetize their data breach claims early in the litigation, prior to reaching either juncture. As we continue to see filings grow in this area, we could continue to see a decline in the number of rulings. So long as defendants continue to play ball on the settlement front, and payouts remain higher than the associated transaction costs, we are likely to continue to see settlements lure plaintiffs to this space.
