Stieglitz v. IronMountain Solutions Inc.

Filed in the U.S. District Court for the Northern District of California, this class action alleges that IronMountain Solutions failed to protect the sensitive personal information of over two million customers. A cyberattack in mid-2025 exploited known security vulnerabilities, resulting in the exfiltration of Social Security numbers, financial records, and protected health information. Lead plaintiff Michael Stieglitz claims the company ignored prior warnings and delayed implementing industry-standard encryption and multi-factor authentication, directly causing widespread identity theft and financial fraud. The complaint asserts violations of the California Consumer Privacy Act, other state data breach notification laws, and common law negligence, seeking monetary damages, credit monitoring services, and injunctive relief to compel comprehensive security overhauls.

As of early 2026, the case remains in active litigation. IronMountain has filed a motion to dismiss, contesting Article III standing and the sufficiency of negligence pleadings. The court has not yet ruled on class certification, and no settlement has been reached.

Whether IronMountain Solutions breached its duty of reasonable care by maintaining inadequate cybersecurity safeguards and whether its failure to timely detect and disclose the breach constituted gross negligence, thus establishing liability for the resulting consumer harms.

The lawsuit has intensified public and regulatory scrutiny on data stewardship practices, accelerating legislative efforts toward a comprehensive federal privacy framework. It has also driven enterprises across sectors to re-evaluate third-party risk management and has heightened demand for cyber insurance policies with stricter security audit requirements.