The amount you can sue for in a data breach varies significantly, ranging from as low as $100 to as high as $7,500 per person, depending on the settlement and your eligibility. In recent high-profile cases, the damages have been substantial—the AT&T settlement in 2026 awarded eligible claimants up to $7,500 each after two data breaches compromised 73 million customers. However, most data breach settlements result in smaller per-person payments, typically between $100 and $500 in cash awards, supplemented by credit monitoring and identity theft protection services.
The actual amount you receive depends on several factors: the type of data exposed (sensitive medical records command higher damages than email addresses), whether you can prove the data was actually misused for fraud, and the strength of the lawsuit against the company. Under California’s Consumer Privacy Act (CCPA), you can pursue statutory damages ranging from $100 to $750 per person per incident, though this requires proof of negligence on the company’s part. The total settlements paid by corporations have grown dramatically—2025 alone saw over $70 billion in class action settlement payouts, with data breach cases representing a significant portion of this historic total.
Table of Contents
- What Amount Can You Recover in a Data Breach Settlement?
- Statutory Damages vs. Actual Harm—Understanding the Gap
- How Recent Settlement Examples Illustrate Damage Ranges
- Factors That Determine How Much You Can Sue For
- The Class Action Process—Why Individual Recoveries Are Usually Small
- Individual Lawsuits vs. Class Actions—Different Damage Models
- The Expanding Data Breach Litigation Landscape
- Conclusion
What Amount Can You Recover in a Data Breach Settlement?
Your recovery in a data breach settlement depends primarily on how the settlement is structured and whether you file a claim. Recent settlements illustrate the range: the AT&T settlement provided up to $7,500 per eligible person, the Marriott settlement (October 2024) paid out from a $52 million pool for 131.5 million affected customers, and the Kaiser Foundation Health settlement distributed $46-47.5 million among claimants. These amounts represent the top tier of data breach compensation and typically go to claimants who can demonstrate financial harm or who are in particularly sensitive categories (healthcare data is often valued more highly). Most data breach settlements, however, award much smaller amounts.
The Norton Healthcare settlement with a May 18, 2026 claims deadline, and countless others offer $100-$500 in cash per person, combined with years of free credit monitoring and identity theft protection. This is because many breaches affect millions of people but involve less sensitive data or don’t include evidence that the information was actually stolen for fraudulent purposes. The settlement pool is divided among all eligible claimants, which can result in very small per-person payments when millions of people are affected. If you can prove actual financial losses from the data breach—such as fraudulent charges, credit damage, or identity theft—your claim may be valued higher within a settlement or give you grounds for additional damages outside of the class action process. This is where the difference between a simple exposure settlement and one involving documented fraud becomes critical.
Statutory Damages vs. Actual Harm—Understanding the Gap
Statutory damages provide a floor for data breach claims but don’t necessarily reflect your actual losses. Under CCPA, companies can be liable for $100 to $750 per person per violation, which means a single breach incident affecting you could theoretically yield damages in that range if you pursue an individual claim—but in practice, almost all data breach cases proceed as class actions, which distribute the total settlement far more thinly. A $100 million settlement divided among 10 million affected people yields only $10 per person before administrative costs. The significant gap between potential statutory damages and what claimants actually receive represents a major limitation in data breach litigation. When the Equifax breach (2017) affected nearly 150 million people, the total settlement was $575-700 million, with $425 million allocated to a consumer fund.
That sounds substantial until divided by 150 million—many claimants received less than $50 in cash. Some got only free credit monitoring, while others with documented identity theft losses received higher cash awards or extended monitoring periods. This limitation means you shouldn’t expect to receive full statutory damages unless you pursue an individual lawsuit and can prove negligence on the company’s part. Class actions prioritize efficient resolution and finality over maximizing individual payments. Additionally, settlement funds have expiration dates—you typically must file your claim within 12-24 months of the settlement’s approval, or you forfeit your share.
How Recent Settlement Examples Illustrate Damage Ranges
The 2026 AT&T settlement is among the highest per-person payouts in recent data breach litigation. AT&T agreed to $177 million to resolve claims from two data breaches affecting 73 million customers, with eligible claimants receiving up to $7,500 each. This wasn’t awarded to everyone—the amount depended on proof of harm, documentation of expenses, and whether the person’s data was in both breaches versus just one. The settlement also included four years of complimentary credit monitoring and identity theft protection. The Yale New Haven Health settlement ($18 million, finalized March 3, 2026 for a March 8, 2025 data incident) demonstrates how quickly healthcare breaches move through litigation.
Healthcare data commands premium values because it includes medical histories, social security numbers, and insurance information—all highly valuable to identity thieves and used for medical identity theft schemes. Claimants with documented losses from the breach received higher settlements than those seeking only monitoring services. Compare these to the Lehigh Valley Health Network settlement of $65 million (September 2024) following a medical record hack, which shows the consistency in healthcare damages. The medical sector has seen particularly aggressive litigation because federal HIPAA breach notification rules create clear documentation of what was exposed. In contrast, the Capital One settlement ($190 million for a breach affecting 100 million customers in 2025) likely averaged less than $2 per person in direct cash, though credit monitoring added substantial value.
Factors That Determine How Much You Can Sue For
The type of data exposed is the primary factor determining settlement value. Social security numbers, medical records, and financial account information generate significantly higher damages than names and email addresses alone. Healthcare data consistently yields the largest settlements because medical identity theft can cause years of billing problems, credit damage, and physical harm if records are altered. Financial account data (bank accounts, credit card numbers) is also valued highly because fraud is easily documented. In contrast, breaches involving only email addresses or usernames typically settle for much lower amounts or generate only credit monitoring offers rather than cash payouts. Proof of negligence strengthens a data breach claim considerably.
If a company failed to implement basic cybersecurity measures—like encryption, firewalls, or security patching—damages increase. This is why settlements vary dramatically: a breach of poorly-secured data is worth more than a breach of well-protected data at a security-conscious company. The Marriott settlement ($52 million, October 2024) was substantial partly because the breach persisted for years without detection, suggesting inadequate security monitoring. The number of claimants is inversely related to per-person payments. A $100 million settlement divided among 1 million people yields $100 each; divided among 50 million yields $2 each. This explains why widespread breaches affecting average consumers often pay very little per person despite massive total settlements. Companies with fewer, more valuable customers (like healthcare providers) typically generate higher per-person settlements.
The Class Action Process—Why Individual Recoveries Are Usually Small
Class action settlements involve substantial administrative overhead that reduces claimant payouts. After a settlement is reached, a portion of the funds goes toward attorney fees (typically 25-33% of the settlement), claims administrator costs, and court-approved expenses. If you receive $100 from a data breach settlement, the company may have actually allocated $150-200 of settlement funds to “your share” before processing fees. This structure ensures the lawsuit proceeds efficiently, but it significantly reduces individual claimant recovery. The class action process also creates temporal limitations on your ability to recover. Most data breach settlements require claims to be filed within 12-24 months of settlement approval.
If you miss the deadline—often because you never received notice of the settlement or didn’t realize you were affected—you forfeit your share entirely. The unclaimed funds typically revert to state governments or cy pres awards (donations to related nonprofits) rather than reverting to the company. This is a major limitation: in some settlements, 40-60% of allocated funds go unclaimed simply because people don’t file claims. A critical warning: not all data breach settlements include cash payments. Many consist solely of free credit monitoring and identity theft protection for 2-7 years. While this has real value (credit monitoring services cost $100-150 annually), it’s not the same as cash compensation. Some claimants receive nothing if they don’t submit claims or if the settlement is exhausted before processing all claims.
Individual Lawsuits vs. Class Actions—Different Damage Models
You have two paths to recover from a data breach: joining a class action settlement or filing an individual lawsuit. Class actions are faster and cheaper to pursue (you pay nothing unless you recover), but per-person payouts are much smaller because costs are spread across millions. Individual lawsuits can yield higher damages if you can prove significant personal losses—identity theft, fraudulent charges, credit damage, emotional distress, or time spent remedying the breach. However, individual lawsuits require you to hire an attorney, prove damages, and convince a court the company was negligent.
Individual lawsuits are practical only if you’ve suffered documented financial harm exceeding several thousand dollars. If a data breach led to $20,000 in fraudulent medical charges in your name, an individual lawsuit might recover that amount plus punitive damages. But if you simply want compensation for the breach risk itself, a class action is your only realistic option. Most companies fight individual claims vigorously, arguing that exposure to data isn’t itself harmful without proof of actual misuse. Courts have increasingly rejected pure “breach exposure” claims without documented fraud, making individual lawsuits harder to win in recent years.
The Expanding Data Breach Litigation Landscape
Data breach litigation has exploded in scope and frequency. In 2025 alone, over 1,800 class action lawsuits were filed related to data privacy breaches—a 25% increase from 2024 and a 200% increase since 2022. This growth reflects both more breaches occurring and companies settling cases rather than fighting them to trial. The total amount corporations paid in 2025 class action settlements reached over $70 billion, the highest figure ever recorded in American jurisprudence.
Data privacy breaches represent one of the fastest-growing categories of class action litigation. This expansion has created a more sophisticated settlement environment. Plaintiffs’ attorneys are developing stronger legal arguments, settlement negotiations are yielding higher valuations for data breaches, and courts are becoming more willing to approve settlements involving identity theft protection services as valuable compensation. As cybersecurity incidents continue increasing and hackers target more valuable data types, settlement averages will likely increase. However, the class action mechanism itself means that most individual claimants will still recover relatively modest amounts unless they pursue separate damages for documented fraud.
Conclusion
The amount you can sue for in a data breach ranges from statutory minimums of $100 per person under CCPA to settlement awards of $7,500 per person in cases like AT&T (2026), depending on the data type, proof of negligence, and number of affected parties. Most settlements result in much smaller per-person payouts ($100-$500 cash plus monitoring services), but the total settlement amounts have grown dramatically—corporations paid over $70 billion in class action settlements in 2025 alone. Your realistic recovery depends on whether you file a claim in available class action settlements and whether you can document actual fraud or losses from the breach.
If you’ve been affected by a data breach, your immediate action is to check settlement websites for cases matching your situation and file claims within the required deadlines. Monitor your credit and financial accounts closely for fraudulent activity—documented fraud significantly strengthens any damages claim beyond the standard settlement payout. For substantial losses (thousands of dollars in fraudulent charges), consult a data breach attorney about individual lawsuit options. The expanding litigation landscape means more settlements are being negotiated every year, and awareness of settlement opportunities is your key to potential recovery.