Panaseer: US companies hit with $155 million class action payouts over cyber failures

Panaseer

Panaseer, a leader in cybersecurity posture management powered by Continuous Controls Monitoring (CCM), has revealed new insights into the mounting legal and financial toll of data breaches on US companies. According to its analysis of data breach-related settlements and filings from the last six months, poor cybersecurity is costing US organizations millions of dollars in fines, settlements costs and individual payouts.  Yet, many still lack the data and resources needed to assess and address gaps in their cybersecurity posture.   

Panaseer examined all data breach class action filings from ClassActions.org and settlements from Top Class Actions between August 2024 and February 2025. During this period, 43 lawsuits were filed, and 73 settlements were reached.  Key findings include:  

  • The Million Dollar Cost of Data Breaches: US organisations have paid a total of $154,557,500 in class action lawsuits related to data breaches over the last 6 months. Settlements averaged around $3 million, with the largest reaching $21 million. Individual payouts to affected employees or customers ranged from $150 to $12,000, holding companies financially accountable for exposing sensitive data.  
  • Poor Security Controls Leave Companies Exposed: The most common violations leading to legal action were: 

o   Inadequate cybersecurity measures (50% of filings, 97% of settlements) 

o   Failure to encrypt data (40% of filings, 1% of settlements) 

o   Delayed breach notifications (10% of filings, 3% of settlements) 

  • Tougher Regulations Driving Legal Risk: While most sectors were represented in the data, healthcare (32.7%), finance (13.2%) and retail (5.3%) were hit the hardest – facing the most lawsuits and the highest fines. Geographically, California (13.2%), Florida (11.5%), Illinois (7.1%) and New Jersey (6.2%) saw the most class action activity, likely due to stricter privacy laws in those states. 

“While people – and the courts – can be understanding when a company falls victim to an attack, they’re far less forgiving when it looks like the organisation failed in its duty of care around data,” says Jonathan Gill, CEO at Panaseer. “But most breaches don’t happen because companies willfully ignore security. Instead they will set a target risk position, then over time slide back and take on more exposure than intended because well-intentioned people don’t have information they can trust, presented in a language they understand, to do the important work. It’s a process problem, not a people problem.  

Without a system of record in place the gap between where the business thinks it is, and where it actually stands, widens until they think they’re secure when in reality they’re not. Assumptions about coverage can mask critical blind spots: unpatched systems, misconfigurations and unnoticed gaps that persist beneath the surface. And as our analysis shows, these ‘unknown unknowns’ can be incredibly costly, not just in fines and legal fees, but in reputational damage and loss of customer trust.” 

According to industry data, data breach litigation in the United States reached  unprecedented levels in 2024, with filings for class action lawsuits doubling from the previous year. In response, Panaseer is urging organizations to recognize that the best defense against legal action is to be able to demonstrate – and prove – due diligence around cybersecurity. This starts with having a clear, accurate picture of data, assets and the security controls in place to protect them.  

“Demonstrating a good faith effort is one of the strongest defenses against legal action. Yet the root cause of today’s cybersecurity challenges isn’t just threats, it’s the way we manage them,” Gill continues. “The attack surface is expanding, visibility is shrinking, and security teams are juggling an ever-growing stack of siloed solutions – 83 on average, from 29 different vendors. This lack of visibility creates a ripple effect. Security teams struggle to track assets, decision-makers lack the right insights, and stakeholders can’t translate technical complexity into business risk. Over time, controls drift, alert fatigue sets in, and preventable breaches occur.” 

“But there is another way. To break the cycle, we need to bring security back to its foundation: visibility, alignment and clarity. We need a system of record for the CISO, in the same way the Sales leader has Salesforce and the People leader has Workday. This trusted, truthful source gives teams a single, validated view of security data, understandable by all stakeholders. This in turn allows teams to report on cybersecurity and drive action based on data-driven insights, mapped to business priorities. This way organizations can prevent problems before they escalate, streamline operations, and move from reactive firefighting to proactive resilience. And then, even if the worst happens, they can show they did the right things.”  

For more cybersecurity news. click here

Share
Tweet
Post

Related posts

SITE MENU

Main Menu
Main Menu
Main Menu
Main Menu
Main Menu

READY TO TALK?

BOOK A MEETING

CONTACT US

+31 (0) 53 23 40 650
+44 (0) 7841 693979
sayhello@securityonscreen.com
Security on Screen B.V. Broekhoekweg 34, 7581 PT Losser, The Netherlands
Linkedin Twitter Facebook

FOLLOW US & SUBSCRIBE

Enter your email and subscribe to our newsletter

Copyright © 2022 Security on Screen by the Security Industry Group
Privacy Policy

Scroll to Top