Organisations holding data on US citizens must do more to address gaps in their cyber security posture and respond to incidents in a timelier fashion if they are to avoid falling victim to rising legal costs.
An analysis of the past six months of data breach filings Stateside, conducted by continuous controls monitoring (CCM) specialist Panaseer, found that organisations are paying out millions of dollars in regulatory fines, class action settlements and individual payouts.
From August 2024 to February 2025, the data – drawn from third-party sources – revealed that 43 lawsuits were filed and 73 settlements reached.
Panaseer found US organisations have paid a total of $154,557,000 (£116,195,000) in class action costs since last August, with settlements averaging $3m and the largest hitting $21m.
Individual payouts to affected employees or customers ranged from $150 a head to $12,000, money that many can ill-afford to add when other costs, such as engaging third-party forensics and remediation services, are taken into account.
“While people – and the courts – can be understanding when a company falls victim to an attack, they’re far less forgiving when it looks like the organisation failed in its duty of care around data,” says Jonathan Gill, CEO at Panaseer.
“But most breaches don’t happen because companies wilfully ignore security. Instead, they will set a target risk position, then over time slide back and take on more exposure than intended because well-intentioned people don’t have information they can trust, presented in a language they understand, to do the important work. It’s a process problem, not a people problem.”
Gill said that without a system of record in place covering incident preparedness, the gap between where businesses think they are and where they actually are can widen until organisations believe they are doing everything right, when the reality is much different.
“Assumptions about coverage can mask critical blind spots: unpatched systems, misconfigurations and unnoticed gaps that persist beneath the surface,” he said. “And as our analysis shows, these ‘unknown unknowns’ can be incredibly costly, not just in fines and legal fees, but in reputational damage and loss of customer trust.”
The most common failings leading to costly payouts were inadequate cyber security measures, noted in 50% of filings and 97% of settlements; failure to encrypt data, noted in 40% of filings but just 1% of settlements; and delays to breach notifications, noted in 10% of filings and 3% of settlements.
Breach litigation at unprecedented levels
Overall, the data show US data breach litigation reached record levels in 2024, with filings doubling over 2023. Notably, states with tougher privacy laws, such as California, Florida, Illinois and New Jersey, unsurprisingly saw the most class action activity.
Gill said organisations needed to recognise that the best defence against winding up in a US court is to be able to demonstrate and prove that they have conducted appropriate and effective due diligence around their security – starting by painting a clear and accurate picture of their core data and IT assets, and the measures that are in place to protect them.
“Demonstrating a good faith effort is one of the strongest defences against legal action,” he said. “Yet the root cause of today’s cyber security challenges isn’t just threats, it’s the way we manage them.
“The attack surface is expanding, visibility is shrinking and security teams are juggling an ever-growing stack of siloed solutions – 83 on average, from 29 different vendors,” said Gill. “This lack of visibility creates a ripple effect. Security teams struggle to track assets, decision-makers lack the right insights and stakeholders can’t translate technical complexity into business risk. Over time, controls drift, alert fatigue sets in and preventable breaches occur.”
To break this cycle, he urged chief information security officers to bring security back to three foundational basics – visibility, alignment and clarity – with a system of record that functions similarly to how Workday works for HR leaders, or Salesforce for sales.
“[A] trusted, truthful source gives teams a single, validated view of security data, understandable by all stakeholders,” said Gill. “This in turn allows teams to report on cyber security and drive action based on data-driven insights, mapped to business priorities.
“This way, organisations can prevent problems before they escalate, streamline operations and move from reactive firefighting to proactive resilience. And then, even if the worst happens, they can show they did the right things.”
#Data #breach #class #action #costs #mount