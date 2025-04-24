Organisations holding data on US citizens must do more to address gaps in their cyber security posture and respond to incidents in a timelier fashion if they are to avoid falling victim to rising legal costs.

An analysis of the past six months of data breach filings Stateside, conducted by continuous controls monitoring (CCM) specialist Panaseer, found that organisations are paying out millions of dollars in regulatory fines, class action settlements and individual payouts.

From August 2024 to February 2025, the data – drawn from third-party sources – revealed that 43 lawsuits were filed and 73 settlements reached.

Panaseer found US organisations have paid a total of $154,557,000 (£116,195,000) in class action costs since last August, with settlements averaging $3m and the largest hitting $21m.

Individual payouts to affected employees or customers ranged from $150 a head to $12,000, money that many can ill-afford to add when other costs, such as engaging third-party forensics and remediation services, are taken into account.

“While people – and the courts – can be understanding when a company falls victim to an attack, they’re far less forgiving when it looks like the organisation failed in its duty of care around data,” says Jonathan Gill, CEO at Panaseer.

“But most breaches don’t happen because companies wilfully ignore security. Instead, they will set a target risk position, then over time slide back and take on more exposure than intended because well-intentioned people don’t have information they can trust, presented in a language they understand, to do the important work. It’s a process problem, not a people problem.”

Gill said that without a system of record in place covering incident preparedness, the gap between where businesses think they are and where they actually are can widen until organisations believe they are doing everything right, when the reality is much different.

“Assumptions about coverage can mask critical blind spots: unpatched systems, misconfigurations and unnoticed gaps that persist beneath the surface,” he said. “And as our analysis shows, these ‘unknown unknowns’ can be incredibly costly, not just in fines and legal fees, but in reputational damage and loss of customer trust.”

The most common failings leading to costly payouts were inadequate cyber security measures, noted in 50% of filings and 97% of settlements; failure to encrypt data, noted in 40% of filings but just 1% of settlements; and delays to breach notifications, noted in 10% of filings and 3% of settlements.