State sovereign immunity is a centuries-old legal doctrine that protects states from being sued in federal or state court without their consent. For individuals and entities seeking civil claims after a data privacy or cybersecurity breach involving a state government, this doctrine often presents a formidable barrier. Understanding how sovereign immunity works, when it can be waived, and what recent legal developments mean for victims is essential for anyone navigating this complex area of law. This article explores the interplay between state sovereign immunity and civil claims arising from data breaches and privacy violations, providing a comprehensive roadmap for plaintiffs, attorneys, and policymakers.

Understanding State Sovereign Immunity

The concept of sovereign immunity traces back to English common law, where the Crown could not be sued without its permission. In the United States, this principle was codified for the states through the Eleventh Amendment to the Constitution, which limits the ability of private parties to sue a state in federal court. The amendment reads: "The Judicial power of the United States shall not be construed to extend to any suit in law or equity, commenced or prosecuted against one of the United States by Citizens of another State, or by Citizens or Subjects of any Foreign State." Over time, courts have interpreted the Eleventh Amendment broadly, extending immunity to suits brought by a state's own citizens and to claims in state court.

The core purpose of sovereign immunity is to respect the sovereignty of states and protect public treasuries from judgments that could disrupt government functions. However, this doctrine can severely limit accountability when state agencies suffer data breaches or fail to protect private information. For example, if a state's department of motor vehicles leaks the Social Security numbers and driver's license data of millions of residents, victims may find that sovereign immunity bars any lawsuit seeking damages — unless the state has explicitly consented to be sued.

How Sovereign Immunity Applies to Data Breaches and Privacy Violations

When a data breach occurs within a state government entity — such as a state health department, public university, or tax agency — the victims often include citizens whose sensitive personal information was exposed. Typical civil claims in such cases include negligence, invasion of privacy, breach of fiduciary duty, and violations of state data breach notification laws. Sovereign immunity can block all of these claims unless a specific exception or waiver applies.

Importantly, sovereign immunity does not protect state employees in their individual capacities when they act outside the scope of their official duties. But suing an employee personally is often impractical because the employee may lack the resources to compensate victims, and the state may be obligated to indemnify the employee. As a practical matter, the plaintiff usually needs to pierce the state's immunity to reach the public entity itself.

Federal Sovereign Immunity vs. State Sovereign Immunity

A common misconception is that the Federal Tort Claims Act (FTCA) provides a general avenue for suits against the government for data breaches. The FTCA allows certain tort claims against the U.S. federal government, but it does not apply to state governments. Each state has its own sovereign immunity regime, typically spelled out in statutes or constitutional provisions. Some states have waived immunity for certain types of tort claims, but many maintain broad immunity for discretionary government actions — which often includes decisions about cybersecurity policies and budget allocations.

For example, a plaintiff cannot simply rely on the FTCA to sue a state agency. Instead, they must look to the specific state's tort claims act or any other waiver statute. These state laws vary dramatically. In some states, immunity is waived only for claims arising from "proprietary" rather than "governmental" functions. Data storage and cybersecurity can fall into either category, depending on how the activity is characterized.

Waivers and Exceptions: When Can You Sue a State for a Data Breach?

Because sovereign immunity is a defense of the state, the burden falls on the plaintiff to establish that the state has consented to suit. There are three primary ways a state may waive immunity: express statutory waiver, implicit waiver through conduct or litigation, and congressional abrogation (though for data privacy cases, direct abrogation is rare). Understanding these mechanisms is critical for anyone pursuing a cybersecurity claim against a state.

Express Statutory Waivers

Many states have enacted a State Tort Claims Act (sometimes called a State Claims Act) that waives immunity for certain categories of claims. These acts typically list exceptions for intentional torts, or they cap damages at a specific amount (e.g., $500,000 per claim). Even where a waiver exists, data breach claims may be excluded if the state's act contains a discretionary function exception. For instance, if the state argues that its decision to use a particular cybersecurity vendor was a discretionary policy choice, the claim may be barred.

A handful of states have passed laws that specifically address data breaches. For example, California's Government Code sets out procedures for data breach notifications by state agencies, but it does not automatically waive sovereign immunity for resulting lawsuits. Some states, like Florida and New York, have created limited statutory remedies for individuals whose personal data is breached by a state entity — but these remedies are often administrative and do not provide a jury trial or full tort damages.

Implicit Waivers and the "Commercial Activity" Exception

When a state engages in activities that are historically considered "commercial" or "proprietary" — such as operating a utility, selling goods, or running a parking garage — it may be deemed to have implicitly waived sovereign immunity for claims arising from those activities. However, the sale of data (e.g., a state DMV selling driver information to private companies) has not generally been treated as a commercial activity that strips immunity. Courts are often reluctant to find implicit waivers, especially when a state statute explicitly reserves immunity.

Another route is the abrogation by Congress. Under the Fourteenth Amendment, Congress can override state sovereign immunity to enforce federal rights. For example, the Health Insurance Portability and Accountability Act (HIPAA) does not create a private right of action; thus, it cannot abrogate immunity for data breaches involving health information. The Gramm-Leach-Bliley Act and COPPA similarly do not provide private lawsuits against states. As a result, federal data privacy statutes rarely help plaintiffs circumvent sovereign immunity.

The State's Right to Participate in Litigation

Even when a state does not expressly waive immunity, it may voluntarily consent to be sued by filing a claim or intervening in a case. For example, if a state seeks to enforce its own data breach notification statute against a private company, a defendant could potentially bring a counterclaim against the state — but the state's involvement in the litigation might constitute a waiver only for the specific proceeding. This scenario is uncommon in the data breach context.

Courts across the country have begun to grapple with the intersection of sovereign immunity and data breaches. While no single landmark ruling has fully resolved the issue, several trends are emerging.

State Court Rulings

In Alaska, the state supreme court held that a data breach of the state's Department of Health and Social Services did not give rise to a waiver of sovereign immunity because the breach arose from an alleged failure to properly secure data — a discretionary function under the Alaska Tort Claims Act. Similarly, in Missouri, the court of appeals dismissed negligence claims against the state for the 2022 breach of the Missouri Department of Social Services, finding that the state retained its immunity and that the plaintiff failed to identify a specific statutory waiver.

But not all rulings favor states. In Colorado, a trial court allowed claims to proceed against a state agency for a breach of its online tax filing system, reasoning that the agency's handling of the data was a "ministerial" rather than discretionary function. The case settled before appeal, leaving the issue unresolved. In California, a 2023 ruling opened the door to a breach of contract claim against a state university that had promised specific cybersecurity protections in its enrollment agreement — but the plaintiff could only recover nominal damages because the state waived immunity only for certain contract claims.

Federal Court Interpretations

Federal courts have also weighed in. In Doe v. State of Ohio, a federal district court ruled that sovereign immunity barred a class action lawsuit by victims of a data breach at the Ohio Department of Job and Family Services, even though the state had a tort claims act that arguably covered negligence. The court found that the state did not explicitly waive immunity for claims arising from data breaches, and that the breach involved discretionary decisions about network security. The case is currently on appeal.

These decisions highlight the patchwork nature of sovereign immunity law. A plaintiff in one state might have a viable claim if waiver is defined broadly, while a similarly situated plaintiff in another state may be left without recourse. This inconsistency places enormous pressure on state legislatures to either expand or contract waivers in response to increasing cybersecurity threats.

Practical Implications for Plaintiffs and Attorneys

For anyone who has suffered harm from a state government data breach, the path to recovery is fraught with challenges. Sovereign immunity is not insurmountable, but it requires careful strategic planning.

Strategies to Overcome Sovereign Immunity

  • Identify explicit waivers: The first step is to research the sovereign immunity laws of the specific state. Look for tort claims acts that list data breaches or "invasion of privacy" as covered claims. Even if the act has a damages cap, it may permit the case to proceed.
  • Argue the ministerial function exception: Many states carve out an exception for "ministerial" acts — actions that involve no discretion. If the state had a mandatory duty (e.g., a statutory requirement to encrypt certain data), failure to perform that duty may strip immunity. Proving that a specific statute left no room for discretion is a heavy factual burden.
  • Seek equitable relief: Sovereign immunity often does not apply to claims for injunctive or declaratory relief under the Ex parte Young doctrine. A plaintiff can sue a state official in their official capacity to compel compliance with federal law — such as requiring future compliance with the Privacy Act or state notification statutes. However, damages are not available under this theory.
  • Explore contract theories: If the state entered into a contract with the plaintiff (e.g., a student loan agreement, an employment contract, or an online service agreement) that contained data security promises, a breach of contract claim may fall under a state's waiver for contract actions. Not all states waive immunity for contracts, but many do.
  • Lobby for legislative change: Because courts are reluctant to find waivers without clear statutory language, plaintiffs' advocates and privacy groups often push for state laws that explicitly waive immunity for data breach claims. Several states have introduced bills to that effect, though few have passed.

Insurance and Indemnification

Another avenue is to check whether the state has purchased cybersecurity insurance that might cover claims made against the state. Some policies require the state to waive immunity as a condition of coverage, creating a waiver by operation of the insurance contract. Plaintiffs' attorneys should request the state's insurance policy during discovery (if a case is allowed to proceed). Additionally, if a private vendor caused the breach, the state's immunity may not extend to the vendor's own liability — and the plaintiff can sue the vendor directly for negligence or breach of contract.

The Future of Sovereign Immunity in Cybersecurity Cases

As state governments collect ever-larger amounts of sensitive personal data — from driver's licenses to health records to tax returns — the risk of large-scale breaches increases. Citizens who lose their data to hackers or insider threats are increasingly demanding accountability. Legal scholars and consumer advocates argue that sovereign immunity should not shield states from the consequences of inadequate cybersecurity, especially when states actively market and use data for revenue purposes.

Proposed Reforms

Some states have considered model legislation that would waive sovereign immunity for claims arising from data breaches that occur due to gross negligence or willful misconduct. Others are exploring the creation of a special "data breach victim compensation fund" that would provide limited administrative remedies without requiring a lawsuit. At the federal level, there have been discussions about attaching a state data breach waiver to cybersecurity grant programs — making federal funding contingent on a state's agreement to be sued for breach-related harms.

Another possibility is the commercial activity exception being applied more broadly. If a state runs a health insurance marketplace, manages a utility billing system, or operates a state-run bank, courts might find that these activities have sufficient commercial character to justify waiving immunity for related data breaches.

The Role of the Supreme Court

Ultimately, the U.S. Supreme Court may need to resolve the tension between states' interests in immunity and individuals' interests in privacy protection. However, the Court has generally upheld broad sovereign immunity in the absence of clear congressional abrogation. For a major shift, either Congress must pass a statute explicitly authorizing suits against states for data breaches (which would require a clear statement of intent and a valid constitutional basis), or the states themselves must voluntarily act.

Conclusion

State sovereign immunity remains one of the most significant legal hurdles for plaintiffs seeking civil remedies after a data privacy or cybersecurity breach involving a state government. The doctrine's ancient roots and broad application often leave victims without a forum to recover damages, even when the state's failure to secure data was egregious. However, exceptions and waivers exist, and the legal landscape is slowly evolving as courts and legislatures grapple with the realities of digital governance.

Anyone considering a claim against a state for a data breach must carefully analyze the specific sovereign immunity laws of that state, identify any possible waivers, and explore alternative theories of liability. As cybersecurity threats grow in scale and sophistication, the law may increasingly be forced to adapt — either by expanding waivers or by creating new remedial structures that balance state sovereignty with the fundamental need for accountability and redress. For now, the best advice is to stay informed, consult an experienced privacy attorney, and remain aware that sovereign immunity is not an absolute bar but rather a complex and highly fact-specific defense.