This week, two class actions were filed in the U.S. District Court for the Eastern District of Pennsylvania against David’s Bridal based on two data breaches. The actions allege that David’s Bridal failed to protect the personal information of employees and customers.

In January 2024, David’s Bridal suffered a ransomware attack instigated by ransomware group LockBit. The complaint states that “[i]nstead of remedying its deficient cybersecurity practices following LockBit’s theft of [personal information, David’s Bridal] did nothing” and then suffered a second attack by a different ransomware group, WereWolves in February 2024. The affected information included names, addresses, identification documents, dates of birth, Social Security numbers, and financial account information.

The plaintiffs state that by providing their personal information to David’s Bridal, the company “promised to safeguard the sensitive, confidential data and only to use it for authorized and

legitimate purposes.” Additionally, the complaint alleges that David’s Bridal failed to adequately notify the affected individuals, which did not give them the “opportunity to mitigate harm” related to the breaches. The class actions were filed on behalf of current and former employees and customers. The causes of action are negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. One of the plaintiffs also brought a cause of action under the California Consumer Privacy Act, which allows for a private right of action for a data breach. The plaintiffs are seeking compensatory, actual, and punitive damages, restitution, pre-and post-judgment interest, as well as attorneys’ fees and costs. Additionally, the plaintiffs ask that David’s Bridal be required to implement technical and administrative security controls

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.