Will Sweeney is the Founder and Managing Partner of Zaviant, a data security and privacy consulting firm based in Philadelphia.
As the number of data breaches continues to skyrocket, it's not a question of if a cyber attack will occur—it's when. In the U.S. alone, the number of reported data breaches has jumped from 447 in 2012 to a record-breaking 3,205 in 2023. USA Today notes that "there were 1,571 data breaches reported in the first half of 2024, a 14% increase compared to the same period last year."
Let’s Talk Dollars
With litigation and regulatory fines factored into the equation, data breaches can be very expensive. The global average cost of a breach reached an all-time high of nearly $4.9 million in 2024. That’s why many enterprising attorneys have begun building entire practices around suing organizations that violate privacy laws or mishandle sensitive consumer information.
The Growing Industry Of Data Privacy Litigation
Data breaches have always carried the risk of litigation, but this threat has intensified over the last few years. Today, plaintiff law firms are more active than ever, leading to earlier and parallel litigation proceedings alongside official regulatory actions.
This is partly due to the U.S. Securities and Exchange Commission’s (SEC) cybersecurity disclosure rule which mandates public companies disclose material cybersecurity incidents within four business days. This has increased scrutiny from opportunistic lawyers, leading to more litigation. Furthermore, consumers affected by a data breach can file lawsuits against companies for privacy violations, negligence or deceptive business practices.
The Ever-Evolving Risk Landscape
For better or worse, new rulings are continuously reshaping the data privacy litigation landscape, which has resulted in contradictory court rulings. For example, plaintiff lawyers face the challenge of proving "injury-in-fact" to meet federal standing requirements. The 2021 U.S. Supreme Court ruling in TransUnion LLC v. Ramirez states that the risk of future harm alone is insufficient, and this has been applied to dismiss some data breach claims (but some courts are finding ways to allow these claims to proceed anyway).
On the other hand, state laws like the California Consumer Privacy Act (CCPA) provide statutory damages for data breaches, even without individual damages. This evolution will continue as plaintiff lawyers pursue companies for the recently created claims and defense lawyers find ways to defend against them.
As data breaches continue to increase in frequency and the legal system grapples with the issues, companies must accept that the ongoing evolution of the risk landscape will continue.
Non-Breach Litigation
It’s important to note that litigation is not limited to data breaches. There is a growing trend of litigation related to cross-border data transfers, misuse of personal data, online safety and privacy policy shortcomings. Furthermore, data scraping, where third parties extract data from websites, has also become a focal point (U.S. class actions have targeted the use of scraped data for training AI models).
Non-breach litigation is another reason why it’s more important than ever for organizations to abide by all relevant data privacy rules and best practices. Currently, there are no comprehensive federal laws that protect data privacy in the U.S., but there are a handful of federal laws that safeguard data in certain contexts or sectors—like the Health Insurance Portability and Accountability Act (HIPAA) or the Children’s Online Privacy Protection Act (COPPA). Furthermore, around 20 states have passed their own data privacy laws so far, and we will likely see an increase in new legislation in 2025.
Building A Defensible Position
Organizations should take proactive steps to protect themselves against all facets of cyber risk, including litigation. This includes staying in compliance with all official rules and regulations, establishing a data privacy governance program and building a robust security posture. Aligning with a voluntary cybersecurity framework like ISO 27001/2 or SOC 2 can be especially helpful, as both require certification proving your organization is taking the steps necessary to adequately protect sensitive data, which can help stave off litigators.
Start With What's Happening Right Now
The data privacy landscape is complex and multifaceted, but organizations still have time to prepare for the rising tide of litigation. They should acknowledge the evolving legal environment while committing to addressing known issues, immediately auditing their processes and procedures to ensure they are compliant with current regulations. Once an organization is compliant, it is much easier to adapt to the evolving legal requirements of the next several years.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

1 year ago
66













English (US)