Class-action breach settlements: $100M-$400M for mega-breaches, $1.50-$5 per class member.

Per-class compensation is calculated as total settlement divided by class size, providing a rough indicator of settlement value per affected individual. The actual per-individual benefit depends on enrolment rate in credit-monitoring, claim rate for out-of-pocket reimbursement, and class-action administration cost allocation.

The arithmetic per-class compensation figures in the table above (typically $1-$5) appear startlingly low against the headline settlement totals. The gap reflects three structural features of breach class-action settlements that distinguish them from traditional personal-injury or product-liability class actions.

First, settlement value is heavily weighted toward credit monitoring rather than cash. The Equifax $380.5M settlement, for example, allocated approximately $150M to credit-monitoring services, $125M to out-of-pocket cost reimbursement, $80M to attorney fees, and $25.5M to alternative cash payment and other components. The credit-monitoring component is valued at retail prices ($30+ per individual per year for a four-year programme), but actual cash outflow to the breached entity is only the enterprise bulk-pricing component (approximately $5-$8 per enrolled individual per year). The settlement value-vs-cost gap is significant.

Second, claim rates are low for cash-compensation components. Most breach class actions offer an opt-in cash payment alternative for class members who do not enrol in credit monitoring. Actual claim rates for these cash components run 5-15% of the class. The unclaimed funds either revert to the breached entity, fund cy-pres distributions to consumer-protection nonprofits, or extend the credit-monitoring programme.

Third, the class is typically very large because the breach affected a very large number of individuals. The simple division of total settlement by class size produces a low per-class figure even when total settlement is in the hundreds of millions. For an Equifax-scale class (147M), every $100M of settlement produces only $0.68 per class member.

The threshold question in every breach class action is whether the affected individuals have Article III standing to sue. The Supreme Court's 2021 decision in TransUnion LLC v. Ramirez tightened the standing analysis, requiring a concrete injury rather than a statutory violation alone for federal-court standing. The decision has not eliminated breach class actions but has changed the analysis materially.

Post-TransUnion, plaintiffs typically establish standing through one or more of: actual identity-theft incidents (rare in any individual class member, common across the class), out-of-pocket costs incurred for credit-monitoring or fraud-resolution (more common but typically small), substantial risk of future identity theft (the most-litigated theory, with widely divergent court treatment), and emotional-distress damages (largely unsuccessful in federal court). The In re Marriott Customer Data Security Breach Litigation in the District of Maryland has been the key case shaping standing analysis at the multidistrict-litigation level.

The standing analysis affects settlement timing and value materially. Cases with strong standing (clear out-of-pocket cost across substantial portions of the class) settle faster and at higher values. Cases where standing is contested may proceed to motions practice for 2-4 years before settlement, with the eventual settlement often discounted to reflect ongoing standing risk. For breach-cost budgeting, the standing question is the largest uncertainty in pre-settlement class-action reserve estimation.

Class-action attorney fees in breach litigation typically run 20-30% of total settlement value. The fee calculation can be structured as a percentage of the fund (the more common approach) or as a lodestar calculation (hours times rate, with a multiplier for risk and contingency). Courts apply enhanced scrutiny to breach-class-action fee awards because of the persistent concern that settlements provide low actual per-class compensation relative to nominal settlement value.

The Equifax settlement provides a worked example. Total settlement of $380.5M included approximately $80M in attorney fees (21%), which the Northern District of Georgia approved after extensive scrutiny. The T-Mobile settlement of $350M included approximately $79M in attorney fees (22.5%), similarly approved after extensive scrutiny. The percentage trends suggest that 20-25% is the courts' comfortable range for breach class actions in the mega-breach segment, with smaller cases sometimes seeing 25-30% to reflect the smaller absolute fee.

For breach-cost modelling, the attorney-fee component should be treated as part of total settlement cost (since it is paid from the settlement fund) rather than as a separate line. The breached entity does not write a separate cheque to plaintiff counsel; the fee is allocated from the settlement to the plaintiffs' lead counsel by the court.

Federal class actions are typically the largest, but state-law class actions in jurisdictions with stronger privacy statutes can produce material additional exposure. California's CCPA private right of action (Civil Code 1798.150) allows California-resident plaintiffs to seek statutory damages of $100-$750 per consumer per incident for breaches involving nonencrypted personal information. The Illinois Biometric Information Privacy Act (BIPA) provides $1,000-$5,000 per violation for biometric data exposure. Several other state statutes (NY SHIELD, Washington My Health My Data Act) include private rights of action.

For a breach exposing California residents, the CCPA private-action component typically adds $5-$25 per affected California resident to total class-action settlement value (the figure is materially below the $750 statutory cap because settlements discount the cap to reflect litigation risk and class-action administration practicality). For a breach exposing Illinois residents' biometric data, BIPA private-action exposure can be $200-$1,000 per resident, materially higher than CCPA on a per-resident basis.

The state-law class-action landscape has grown substantially since 2020 as more states have enacted comprehensive privacy laws with private rights of action. The trend is toward higher state-law class-action exposure as a component of total breach class-action cost, partially offsetting any softening in federal class-action exposure from TransUnion-style standing decisions.