US companies face hefty payouts for cybersecurity failures

In a stark revelation by Panaseer, a leading authority in cybersecurity posture management, US companies are grappling with a staggering financial burden due to data breaches. With settlements from recent class action lawsuits amounting to a total of $154,557,500 over just six months, the need for robust cybersecurity initiatives has never been more critical. The analysis highlights persistent issues such as poor security measures, unencrypted data, and delayed breach notifications as the most frequent causes of these costly violations.

Panaseer's comprehensive review of data breach litigation, dating from August 2024 to February 2025, found that poor cybersecurity practices are racking up millions in fines and settlements for businesses. A total of 43 lawsuits were filed in this timeframe, with 73 settlements reached, averaging around $3 million for each settlement, and reaching as high as $21 million in the largest cases. Individual payout amounts to victims varied significantly, from $150 to as much as $12,000.

The majority of legal actions stem from critical vulnerabilities: 50% of filings cited inadequate cybersecurity measures, while 40% noted failure to encrypt data, and 10% pointed to delayed notifications of breaches. Healthcare, finance, and retail sectors were the most affected, accounting for 32.7%, 13.2%, and 5.3% of lawsuits respectively, with states enforcing stringent privacy laws, such as California and Florida, leading the way in litigation.

“While people – and the courts – can be understanding when a company falls victim to an attack, they’re far less forgiving when it looks like the organization failed in its duty of care around data,” remarks Jonathan Gill, CEO at Panaseer. He further explains that breaches often occur not from negligence but from a lack of reliable information and clarity in risk management.

In 2024, data breach litigation soared to unprecedented levels, with class action filings doubling compared to the previous year, prompting Panaseer to advocate for organisations to proactively demonstrate due diligence in their cybersecurity protocols. This begins with a transparent understanding of assets and the protections in place to guard them.

“Demonstrating a good faith effort is one of the strongest defenses against legal action," Gill continues. He stresses the importance of addressing the complex challenges posed by an expanding attack surface, with security teams managing an average of 83 different siloed solutions from 29 vendors. This fragmentation hampers efficacy and breeds blind spots, exposing companies to further risks.

Gill concludes that a pivotal shift is necessary for organisations to strengthen their cybersecurity posture. "We need a system of record for the CISO, in the same way the Sales leader has Salesforce and the People leader has Workday,” he asserts, advocating for a unified source of security data that translates technical complexities into comprehensible business risks. By doing so, companies can transition from reactive measures to a proactive stance, fostering resilience against future breaches while safeguarding their reputation and customer trust