According to industry data, data breach litigation in the United States reaching unprecedented levels in 2024, with filings for class action lawsuits doubling from the previous year. With the news that M&S may also face a class action, this could be the start of class actions filtering into the UK business space – which should set alarm bells ringing for UK businesses. Here, Panaseer examines the implications.

Panaseer examined all US data breach class action filings and settlements from August 2024 and February 2025, finding that:

• US organisations have paid a total of $154,557,500 (£115,469,160) in class action lawsuits related to data breaches over the last 6 months, with settlements averaging $3 million (£2.241m)
  • Notably, MGM Resorts agreed to a $45m (£33.61m) class action settlement in January 2025, however, this settlement was not included within Panaseer’s analysis as the final approval hearing isn’t until 18 June 2025.
• The most common violations leading to legal action were: Inadequate cybersecurity measures (50% of filings, 97% of settlements); failure to encrypt data (40% of filings, 1% of settlements); and delayed breach notifications (10% of filings / 3% of settlements).
• Healthcare (32.7%), finance (13.2%), and retail (5.3%) were the sectors hit the hardest – facing the most lawsuits and the highest fines.

Jonathan Gill, CEO, Panaseer, commented: “While people – and the courts – can be understanding when a company falls victim to an attack, they’re far less forgiving when it looks like the organisation failed in its duty of care around data. But most breaches don’t happen because companies wilfully ignore security. Instead, they will set a target risk position, then over time slide back and take on more exposure than intended because well-intentioned people don’t have information they can trust, presented in a language they understand, to do the important work. It’s a process problem, not a people problem.  

Without a system of record in place the gap between where the business thinks it is, and where it actually is, widens – so that they think they’re secure when in reality they’re not. Assumptions about coverage can mask critical blind spots: unpatched systems, misconfigurations and unnoticed gaps that persist beneath the surface. And as our analysis shows, these ‘unknown unknowns’ can be incredibly costly, not just in fines and legal fees, but in reputational damage and loss of customer trust.” 

Gill continues: “Demonstrating a good faith effort is one of the strongest defences against legal action. Yet the root cause of today’s cybersecurity challenges isn’t just threats, it’s the way we manage them. The attack surface is expanding, visibility is shrinking, and security teams are juggling an ever-growing stack of siloed solutions – 83 on average, from 29 different vendors. This lack of visibility creates a ripple effect. Security teams struggle to track assets, decision-makers lack the right insights, and stakeholders can’t translate technical complexity into business risk. Over time, controls drift, alert fatigue sets in, and preventable breaches occur.” 

Gill concludes: “To break the cycle, we need to bring security back to its foundation: visibility, alignment, and clarity. We need a system of record for the CISO, in the same way the Sales leader has Salesforce and the People leader has Workday. This trusted, truthful source gives teams a single, validated view of security data, understandable by all stakeholders. This in turn allows teams to report on cybersecurity and drive action based on data-driven insights, mapped to business priorities. This way organisations can prevent problems before they escalate, streamline operations, and move from reactive firefighting to proactive resilience. And then, even if the worst happens, they can show they did the right things.”  

For more cyber news, click here