Cyberattacks & Class Actions: What Small Businesses Should Know After Recent Data Breaches

A cyberattack used to be an IT problem. Today it is a litigation problem. When a hacker walks off with a few thousand customer records, the breach itself is only the first event. The second event, often weeks or months later, is a class action complaint filed on behalf of everyone whose data was exposed. For a small or midsize business, that second event is frequently the more expensive one.

This is not a big-company issue anymore. Plaintiffs’ firms have built an efficient, repeatable playbook for turning a breach notification letter into a lawsuit, and they apply it to companies of every size. If your business collects customer names, payment data, health information, or employee records, you are a potential defendant. Here is what is actually happening in this area of litigation, why it now reaches smaller companies, and what you can do to lower your exposure before an incident ever occurs.

The Threat Is Getting More Expensive, Not Less

The financial stakes are easy to underestimate until you see the numbers. According to IBM’s 2025 Cost of a Data Breach Report, the global average cost of a data breach was $4.44 million. That figure dropped about 9 percent from the prior year, largely because companies are detecting and containing breaches faster. But the average United States breach cost remained far higher, and those totals include legal defense, settlements, regulatory response, notification, and credit monitoring.

For a smaller company, the headline average is less important than the structure of the cost. Much of the expense is not the breach. It is the response, and a large part of the response is litigation. That is the part most business owners are unprepared for.

Why a Breach Turns Into a Lawsuit So Quickly

A data breach is close to an ideal fact pattern for the plaintiffs’ bar, and the reasons are worth understanding.

One incident affects everyone at once. A single intrusion that exposes 5,000 customer records creates 5,000 potential plaintiffs with nearly identical claims. That satisfies the “numerosity” element of class certification almost automatically. We explain how a single complaint becomes a class case in our guide on what makes a consumer lawsuit turn into a class action.

The conduct is standardized. Everyone in the class was harmed by the same security failure, the same vendor, and the same set of decisions. That uniformity makes it easier for plaintiffs to argue that common questions “predominate,” which is the central battleground in most consumer class actions.

The theories are well developed. Plaintiffs no longer have to invent a legal theory. They reuse a refined set of claims built around negligence, breach of implied contract, and state consumer protection statutes. We have analyzed that toolkit in detail in our work on data breach class action defense and negligence claims.

Notification laws hand plaintiffs a roadmap. Every state requires businesses to notify affected individuals after a breach. That legally mandated letter is also, in practice, a recruiting tool. It tells thousands of people they were affected, names the company responsible, and often arrives in the mailbox of a plaintiffs’ firm at the same time.

The Procedural Framework in Plain English

Class actions are not declared. They are certified. A lawyer can label a complaint a “class action” on the first day, but the case only becomes one if a court agrees to certify the class. In federal court, that decision runs through Federal Rule of Civil Procedure 23, and Florida state courts apply a closely related rule.

To certify, a plaintiff must satisfy four threshold requirements: a class large enough that individual lawsuits are impractical (numerosity), legal or factual questions shared across the class (commonality), a named plaintiff whose claims look like everyone else’s (typicality), and a plaintiff and counsel capable of representing the group fairly (adequacy). The plaintiff then has to fit the case into one of three categories under Rule 23(b). For data breach cases, that is almost always Rule 23(b)(3), which asks whether common questions predominate and whether a class action is the superior way to resolve the dispute.

Even a case filed in state court can be pulled into federal court under the Class Action Fairness Act, codified at 28 U.S.C. section 1332(d). CAFA generally allows removal when the proposed class exceeds 100 members, the total amount in controversy tops $5 million, and there is minimal diversity between the parties. Federal courts tend to apply Rule 23 with more rigor, which is often why the defense wants the case there.

The Most Important Defense: No Harm, No Standing

Here is the single most useful concept for a business owner to understand. A plaintiff cannot sue in federal court simply because data was exposed. The plaintiff has to show a real, concrete injury.

That principle comes from the Supreme Court’s decision in TransUnion LLC v. Ramirez, decided in 2021. The Court held that thousands of class members who could not show concrete harm lacked standing to recover, even though a statute had technically been violated as to them. The Court’s phrasing has become a defense rallying cry: no concrete harm, no standing.

In a data breach case, that translates into a powerful early question. Did the exposed information actually get misused? Did anyone suffer identity theft, fraudulent charges, or another tangible injury? Or is the claim built on the mere risk that something bad might happen someday? Courts remain divided on how much “increased risk of future harm” is enough, but TransUnion gives defendants a serious tool to challenge claims where no real-world damage occurred. This is frequently the first and most cost-effective place to attack a breach class action.

When the Breach Was Your Vendor’s Fault

Many small businesses assume they are safe because they outsourced their data handling to a payroll processor, a cloud platform, or a software provider. Unfortunately, being a customer of the breached vendor does not always keep you out of the lawsuit. Plaintiffs often name everyone in the chain, and your contract with that vendor may not shift the risk the way you assumed. We cover this growing exposure in our analysis of class action defense strategies when your vendor has a data breach. The lesson is simple. Review your vendor agreements now, before an incident forces you to read them under pressure.

The Defense Levers That Actually Work

The same rules that allow certification also create off-ramps. A capable class action defense team attacks at several pressure points.

Challenge standing early. As discussed above, if the named plaintiff cannot point to concrete injury, the case can end before it gains momentum.

Defeat predominance. Even when some questions are common, individual issues like whether each person was actually harmed, what data was exposed, and what damages resulted can overwhelm the common ones. This is where many Rule 23(b)(3) cases fail.

Test the named plaintiff. Typicality and adequacy challenges target the representative personally. A plaintiff with unusual facts or credibility problems may not be able to stand in for the whole class.

Enforce arbitration and class waivers. If your customer agreements include enforceable arbitration provisions with class action waivers, you may be able to move the named plaintiff into individual arbitration and stop the class case before discovery. These clauses only work if they were drafted carefully in advance.

Win on the merits early. A well-positioned motion to dismiss can end a weak case before certification is ever reached. Our step-by-step defense guide walks through the early response timeline, and our broader class action litigation defense resources catalog the moves available at each stage.

What to Do in the First 48 Hours After a Breach

The decisions you make immediately after discovering an incident shape the litigation that follows. The Federal Trade Commission’s guide, Data Breach Response: A Guide for Business, lays out a practical sequence, and the legal version of that sequence matters just as much.

Secure your systems and stop the data loss first, but do not destroy anything in the process. Forensic evidence and access logs become central to both your defense and any regulatory inquiry. Bring in counsel early, ideally before you draft a single notification letter, because the wording of that letter can later be used against you. Coordinate your communications so that public statements are accurate and consistent. Anything misleading can create separate liability on top of the breach itself.

If you wait to involve a lawyer until after a complaint arrives, you have already passed the point where the most valuable strategic choices are made. Knowing in advance which firm you will call is part of the plan, and so is understanding how to respond when your business is actually served.

Reducing Your Exposure Before Anything Happens

The cheapest breach class action is the one that never gets certified, and the groundwork for that is laid long before any incident. A few practical steps make a real difference.

Map what data you actually hold and why. You cannot protect or defend information you have not inventoried. Tighten your arbitration and class waiver language in customer agreements, since these provisions are among the strongest tools for limiting class exposure. Review your vendor contracts for indemnification and data security obligations. Document your security program in writing, because policies, training records, and audit logs are evidence that your conduct was reasonable. Finally, confirm what your cyber and general liability insurance actually covers, because coverage gaps tend to surface at the worst possible moment.

These steps matter across every sector that handles consumer data, from technology companies and banks and lenders to insurers and professional services firms. The exposure is industry-wide, and so is the value of preparing in advance.

The Bottom Line

A cyberattack creates two separate problems. The first is technical and you may resolve it in days. The second is legal, it can last for years, and it is often the one that determines the real cost of the incident. Breach class actions reach small and midsize businesses now, the legal theories are mature, and the procedural tools that decide these cases are well understood by the lawyers who file them.

The good news is that the same framework that makes these cases possible also makes them defensible. Standing challenges, predominance arguments, arbitration clauses, and early motion practice all work when they are deployed by counsel who knows the terrain. The businesses that fare best are the ones that prepared their contracts, their data practices, and their response plan before the breach, not after.

If your business has experienced a data incident, received a demand letter, or simply wants a proactive review of its class action exposure, the time to engage experienced business litigation counsel is now. To discuss a pending matter or a risk assessment, contact Jimerson Birr or call our team at 904-389-0050.

This article is for general informational purposes only and is not legal advice. Jimerson Birr, P.A. does not represent you until a written engagement is signed.