Data Breach Lawyers

The Lyon Firm is actively involved in Security Breach & Personal Data Theft Class Action Lawsuits on behalf of consumers nationwide.
Nationwide Success

Protect Your Privacy

Investigating Personal Data Theft & Data Misuse Claims

Security and data breaches are an issue plaguing dozens of companies that store customers’ personal information online. Several high-profile security breach incidents have drawn security negligence into question. Attorneys and victims are holding the responsible parties accountable for leaked financial information, credit scores, credit card numbers, bank information and other confidential information.

Thousands of companies have suffered data breaches in the last couple of years. They have spawned dozens of class action data breach lawsuits that seek to compensate affected users and customers for the damage and stress it has caused in their lives.

Security breach settlements have recovered millions of dollars for victims. If you have been a victim of a security breach or received a data breach notification letter, contact a data breach lawyer at (513) 381-2333 to discuss the possible legal recourse and litigation process.

Joe Lyon is a highly-rated, Ohio-based personal data breach lawyer and Privacy Attorney representing plaintiffs nationwide in class action security breach lawsuits.

Personal Data Breach Lawsuits

Regardless of the reason or cause for a security breach, victims have the right to file a claim against a company for failing to protect their information. Such claims can often lead to a class action lawsuit.

Companies must exercise reasonable care in protecting customers’ information, and if they do not, they could be held liable for the damages that result, including identity theft.

Security breach attorneys representing plaintiffs have been able to settle multi-million dollar recoveries. If you or a loved one suffered financial losses from a data breach, contact a data breach lawyer for a free consultation.

What Law Covers Data Breaches?

In the face of online security threats, Ohio enacted the Data Protection Act (DPA), which provides an incentive-based program for businesses to strengthen their existing cybersecurity systems and practices. The DPA also provides specific steps that businesses must take in order to qualify for safe harbor under the act. The DPA aims to encourage businesses to reach higher cybersecurity levels through voluntary action.

By enacting the DPA, Ohio became the first state in the U.S. to implement a law that provides a data breach safe harbor for business entities.

Individuals can be ruined financially, and deserve proper online security measures. But many companies choose not to protect consumer privacy, and thus face class action lawsuits.

data on computer screen


Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.


Joseph Lyon has 17 years of experience representing individuals in complex litigation matters. He has represented individuals in every state against many of the largest companies in the world.

The Firm focuses on single-event civil cases and class actions involving corporate neglect & fraud, toxic exposure, product defects & recalls, medical malpractice, and invasion of privacy.


The Firm offers contingency fees, advancing all costs of the litigation, and accepting the full financial risk, allowing our clients full access to the legal system while reducing the financial stress while they focus on their healthcare and financial needs.

What Kind of Personal Data is Valuable?

Hackers can do a lot with unique personal data like a Social Security number. The most common data stolen includes:

Protecting your data and information is important. Even the most seemingly small or insignificant piece of data could be used to gain access to more of your personal accounts.

What Happens to Stolen Data?

The criminals behind most data breach events are after money. Once they are able to obtain a large volume of personal information, they usually put it up for sale on various online forums, typically on the dark web.

The dark web is a hidden layer of the internet, inaccessible on normal search engines–specific software is required to access it. The dark web is popular with cybercriminals as it offers anonymity and is mostly untraceable.

Once data is obtained, criminals can use it to file fraudulent tax returns, pay for medical costs, file for unemployment, open credit card accounts, and apply for various loans.

If you want more information on current data breach litigation and how to file a data theft class action lawsuit, contact The Lyon Firm at (513) 381-2333 for a free and confidential case review.

How Serious is a Data Breach? How Much is Your Data Worth?

According to Experian, some common prices for pieces of information sold on the dark web include the following:

  • Social Security number – $1
  • Online payment information – $20 – $200
  • Credit or debit card – $5 – $110
  • Drivers license number – $20
  • Loyalty accounts – $20
  • Diplomas – $100 – $400
  • Passports – $1000 – $2000
  • Subscription services – $1 – $10
  • Medical records – $1 – $1000

While such information is associated with various selling prices, the real damage is in the way it is used when sold. One item of information could lead to very costly losses.

What Should You Do if You Are a Victim of a Data Breach?

After your data is stolen once, you may always be at risk for future identity theft. But, you can protect yourself with identity theft coverage and subscribing to an ID Theft Recovery service. You can also contact a lawyer for advice on further steps you can take to cover yourself.

Even if you feel like your information is safe for now, once personal information is stolen and leaked to the dark web, the fraud risks remain as long as that information remains at large.

It’s important to stay alert and watch for signs of fraudulent activity. If you happen to see unusual activity on your accounts, be sure to take the appropriate actions to help protect yourself. If you want more information on what to do when a data breach impacts you, visit the FTC identity theft website.

After a data breach turns your life upside down, remember that you are not the only victim. There are millions of Americans who suffer from data privacy events every year. In turn, they may seek legal action for compensation and to hold companies accountable for negligent security systems.

If you want more information on current data breach litigation and how to file a data theft class action lawsuit, contact The Lyon Firm at (513) 381-2333 for a free and confidential case review.

The Lyon Firm is actively involved in numerous data privacy cases and has experience filing data security claims on behalf of plaintiffs nationwide.

Can You Sue for a Data Breach?

Companies who collect and store data have a duty to protect personal information to the best of their ability. When they are negligent, and a data theft incident occurs, they may be liable for the following:

  • Improperly monitoring data security systems for existing intrusions
  • Not ensuring that vendors with access to computer systems and data employ reasonable security procedures
  • Improperly training employees in handling emails containing personally identifiable information (PII) and personal health information (PHI)
  • Failure to maintain adequate email security practices
  • Failure to implement technical policies and procedures to allow electronic PHI access only to individuals or software programs granted access rights
  • Failure to implement procedures to review records of information system activity regularly, such as audit logs, access reports, and security incident tracking reports
  • Improperly protecting against reasonably anticipated threats or hazards to the security or integrity of electronic PHI

An experienced class action attorney can determine if you are eligible to file a data breach lawsuit or join a class of plaintiffs. A lawyer can assist in answering the following:

  • Did the company fail to adopt security safeguards that would have prevented a security breach?
  • Did the company notify customers as soon as it learned of the incident?
    Did the company provide a complete list of all
  • individuals affected by the data breach?
  • Did the company provide security in line with industry standards?

Failure to take any of these steps can result in legal action against a business entity.

Is My Personal Health Data Protected?

The Federal Trade Commission has issued a Policy Statement instructing health app and connected device companies to comply with existing data breach notification rules. A “breach of security” under the new regulation includes the acquisition of identifiable health information without the authorization of the individual.

A “breach of security” does not only mean a cybersecurity mishap, or the result of “nefarious activity,” but also prohibits the sharing of protected data without the consent of the user.

Upon discovery of a data breach, a health entity is obligated to notify each affected United States citizen, as well as the FTC.

Privacy laws are meant to protect patients’ personal health data, and when institutions fail to protect personal data they may be sued for damages. In recent years much health data has been leaked and stolen, causing significant damages to plaintiffs who have taken legal action.

What Is a Class Action Lawsuit?

A Class Action is a lawsuit brought by an individual on behalf of all other similarly situated individuals. Rule 23 of the Federal and State Rules of Civil Procedure allows for Class Action lawsuits to resolve disputes in an efficient format.

Class Actions are typically filed when the amount of money in dispute for a single plaintiff would not justify litigating the case, but where the amount of damages of the entire class of Plaintiffs would justify the cost of litigation. Without class actions, large corporate defendants would be able to cause small amounts of harm over a large group of individuals without any risk of monetary penalty.

What Are Class Action Requirements?

In order for a case to be certified as a Class Action, the Court must determine that the case is appropriate for class action treatment under Rule 23. There are different elements depending on whether the case is seeking monetary or injunctive relief. In general, the Court must find the following elements are satisfied:

  • Numerosity: The proposed class must be so numerous that simply joining the individual plaintiffs would be impractical. Generally, the class size should exceed 100 individuals.
  • Common Questions of Law or Fact: The facts and/or legal questions in the dispute must be common to all class members. This does not mean all facts or issues must be identical, but the primary facts and law that will determine the issue in dispute must be common among all class members.
  • Typicality: The named Plaintiff in the case must have the same facts and legal issues as the class they are proposing to represent. If the Plaintiff’s individual case involves issues of fact or law unique to that Plaintiff and are irrelevant to the ultimate issue, class certification may be denied by the Court.
  • Plaintiff/Counsel Adequately Represents the Class: The Court must find that the Plaintiff and Plaintiff’s Counsel are competent and will protect the class’ interests.
  • Predominance: Common questions of fact must predominate over individual facts.
  • Superiority: The Class Action is a more efficient and fair means of resolving the dispute. The Court will look at the following factors when making this determination: (1) Class Member interest in maintaining a separate action; (2) the extent of any litigation already begun by other class members; (3) desirability or undesirability of litigating the case in a particular Court ; and (4) difficulties in managing the class.

If you have any questions about class action requirements, an attorney can provide you with answers and insights.

The amount of damages recovered may be directly linked to the attorney’s skill in handling your case. Therefore, you should choose an attorney with the appropriate background and experience in litigating such cases.

How Much Can You Sue A Company For Data Breach?

Data Breach Class Action Settlements

Settlement amounts depend on various factors, such as how many consumers were affected.

The following cases provide a picture of how large many of these breaches can be, and the amount of payment involved to consumers:

  • Capital One announced that 100 million credit card accounts were hacked and personal information was stolen. Attorneys are investigating whether bank account info, social security numbers and other sensitive information was taken.
  • Yahoo has been a target in class action data breach lawsuits after tens of millions of user accounts were compromised due to ineffective site security. The company paid more than $117 million to settle the case.
  • Equifax admitted that 43 million American accounts were hacked and leaked information such as names, birth dates, social security numbers and phone numbers. Some consumers also had their tax IDs exposed. Equifax paid a settlement of over $700 million.
  • Home Depot paid $19.5 million to consumers in a data breach settlement. Home Depot agreed to pay $25 million to banks and credit card companies in the following year.
  • Facebook announced in 2018 that a data breach leaked information from over 50 million users. Class action lawsuits are pending. The social media company also faces various privacy lawsuits and settled one recently involving facial recognition technology for over $500 million.

Companies big and small today face the reality that it is likely that their network will be breached. As a result, they must do all they can to prevent attacks. If they fail to protect private information, class action data breach lawsuits can be filed.

What Industries Are Commonly Targeted in Data Breaches?

Healthcare Security Breach

The rise of healthcare hacks have left millions of patients vulnerable to stolen medical records and identity theft. The vast majority of hospitals and health insurance companies have reported medical record data breaches, and although it is unknown what can be done with medical data, patient’s financial data and personal information can easily be used in nefarious ways.

With the rise of electronic medical data storage in place of old paper files, there are more and more instances of healthcare related security breach incidents and subsequent class action lawsuits.

Hotel Data Breach

Hotels are prime targets in data theft attacks because they compile so much personal information, including names, email addresses, phone numbers, passport numbers, photo IDs, and credit card information. Hotel data breach incidents can be devastating to affected victims.

Marriott was a good example of a hotel chain that failed to meet consumer security expectations when the company was hacked and customer information for 300 guests was stolen.

Travel Site Data Breach

A data breach targeting and other affiliated vacation-booking websites exposed tens of millions of personal records. As a result, a data breach class action lawsuit was filed against Expedia and the Amazon technology that the company relies on to keep their data protected.

Plaintiffs say the companies involved in the breach failed to adequately protect customers’ information, then left it to the media to eventually inform affected consumers. The data breach was first reported in November 2020, involving Expedia and services and Amazon Web Services technology. An investigation found a “misconfigured” cloud-based server, compromising sensitive personal information.

Experts estimate at least 10 million records dating back to 2013 could have been exposed, including credit card numbers, home addresses, passport numbers, and driver licenses.

Restaurant Data Breach

Restaurants have been hacked in recent years, and most have admitted they were not prepared and do not have the ability to ward off such data theft attacks.

Arby’s, Checkers, and many others have been the subject of attacks and subsequent class action data privacy lawsuits. Consumers and restaurant customers have a right to use their credit card and assume their personal information is protected by a company.

Have There Been Any Auto Data Breach Incidents?

To add to other privacy concerns for American consumers, automobile manufacturers are allegedly collecting personal data at a rapid pace. Unfortunately, there have already been security breaches involving automakers. General Motors (GM) announced in May 2022 that it was hit by a credential stuffing attack that exposed customer information and allowed hackers to redeem rewards points and gift cards.

GM said that they detected the malicious login activity and began a data theft investigation. GM posted a data breach notification and sent notices to affected customers.

A credential stuffing attack is possible when credentials are obtained from a previous data breach. Such data was likely not obtained from GM but a third party.
The stolen personal data of affected GM customers includes full names, email addresses, home addresses, usernames and phone numbers, last known and saved favorite location information, avatars and photos, profile pictures, search and destination information, and Wi-Fi hotspot settings.

Recent reports note that some modern cars collect a vast amount of personal data, and may track where we live, who we text, and what restaurants we visit. Collected data isn’t delivered to car owners, but rather to the automakers, or third parties willing to pay for the data. The data generated by cars may be worth billions of dollars each year.

photo of data breach attorney Joe Lyon
Compensation for Victims

Why Are Data Breach Cases Important?

Without data breach class actions, large corporate defendants would be able to cause small amounts of harm over a large group of individuals without any risk of monetary penalty.

Holding companies accountable for poor cybersecurity and data theft incidents helps ensure that consumers are better protected in the future. Compensation in a data breach lawsuit may cover:

  • Unauthorized charges
  • Damage to credit
  • Cost of replacing credit cards
  • Costs of credit monitoring
  • Losses due to investigation time and expenses
  • Loss of business opportunities
  • Damage to reputation
  • Emotional distress

The amount of damages recovered may be directly linked to the attorney’s skill in handling your case. Therefore, you should choose an attorney with the appropriate background and experience in litigating such cases. Contact us at (513) 381-2333 to schedule a free consultation to discuss your rights.


  • This field is for validation purposes and should be left unchanged.

Questions About Data Breach Lawsuits

What steps can you take if you are a victim of a data breach?

If you were affected by a data breach, you should:

  1. Get confirmation of the data breach and collect as many details about the incident as possible.
  2. Contact an attorney to investigate the complex litigation involved in security breach lawsuits.
  3. Try to find out what information was exposed and protect yourself as much as possible.
  4. Talk to an attorney before accepting any settlement directly from a company.
    Monitor your accounts and personal information closely.

Contact a lawyer if you have questions about your legal rights after a breach.

Can I sue a company for releasing my personal information?

Yes, in most cases. Each case is different, but some recent lawsuits have proven to be quite valuable. In one data breach suit, plaintiffs obtained a $17.5 million settlement against The Home Depot due to a data breach. The settlement resolves a multistate data breach which exposed the payment card information of approximately 40 million Home Depot consumers.

The Home Depot data breach made the company’s self-checkout point-of-sale system vulnerable. In addition to the $17.5 million settlement, The Home Depot has agreed to improve network security and maintain data security practices in order to strengthen its data security program and protect the personal information of consumers.

Who is liable for a data breach?

Under current privacy law the firm or organization that is storing user data is responsible for data breaches and will pay any fines or damages that are the result of legal action.

The actual data holder—an organization that provides cloud storage—is not usually legally implicated or held responsible in litigation.

How do data breaches occur?

The majority of data breach incidents are due to hackers manipulating outdated or negligent network security systems. Outside threats pose personal data risks for consumers, though there is also a risk with poor internal security and cloud-based data networks. Some common ways data can be compromised include:

  • Exposing data in code banks
  • Leaking data from misconfigured data buckets
  • Expired security certificates
  • Storing data with unsecured third party vendors
  • Relaxed email security standards
  • Ransomware attacks
  • Malware attacks
  • Phishing attacks

If you are unsure about the status of your personal data, contact The Lyon Firm at (513) 381-2333. We can help you determine if a data breach has occurred and can advise you on what your next steps are.

protect your personal data

What should you do following a data breach?

Following a data breach incident, victims should consider talking to a legal expert, and move quickly to take the following steps to help prevent identity theft and fraud:

  • Confirm the data breach by contacting the “breached” company
  • Learn exactly what kind of personal data was compromised
  • Monitor your accounts for fraudulent activity
  • Change your logins and passwords
  • Keep a detailed record of suspicious activity
  • Contact your bank and cancel credit cards if they have been leaked
  • Stay alert for signs of future identity theft
  • Sign up for a credit monitoring service
Recent Class Action Cases

We work with law firms across the country to provide the most resources possible and to build your case into a valuable settlement. 

Data Breach & Privacy Lawsuits

Invasion of privacy law has been established to protect consumers and citizens of the United States. When companies are negligent and fail to protect consumer information, which can be used in malicious ways, victims can contact a class action attorney to represent them in class action data breach lawsuits. A number of privacy breach and data breach claims have been settled by The Lyon Firm and other consumer protection lawyers around the country.

Consumer Protection Class Action

Consumers have rights in the USA, and when companies do not provide a service they have promised, or hold up their end of a bargain, legal action may be necessary. Consumer protection attorneys work on your behalf to hold companies responsible for providing a fair and safe service.

The Lyon Firm has worked with law firms nationwide in consumer class actions involving deceptive marketing, false advertising, food mislabeling and misleading marketing claims.

TCPA Robocall Class Actions

TCPA lawsuits have become one of the most common kinds of legal claims. The TCPA Act provides privacy protection for consumers by restricting how companies and organizations can contact you by telephone. Robocall harassment and unfair debt collection has been a serious issue that has required lawsuits in order to keep telemarketing companies at bay.

If you have experienced telephone harassment by a bank, real estate company, hotel, political campaign or anyone else, you may have TCPA claim. The Lyon Firm works diligently to seek compensation for those harassed at their home or work.

Wage and Hour Lawsuits

Class action wage and hour lawsuits are always ongoing, as some employers fail to treat employees properly, and attempt to cut workers out of earned wages. Wage theft lawsuits can be valuable for a class of plaintiffs who believes their employer has cheated them out of overtime pay and other earned wages.

There have been several wage theft lawsuits and settlements that have compensated employees for the wages they have earned, as well as damages for emotional distress and punitive damages when an employer is negligent in treating workers in accordance to Ohio labor law.