Regulatory fines could be the tip of the iceberg for enterprises as data breach lawsuits expected to surge in 2025
CISOs may soon need to contribute to class action defense funds within businesses
The associated costs of data breaches are set to diversify according to Forrester, with the analyst firm predicting that fines won’t be the only financial consideration in the wake of a cybersecurity incident in 2025.
Dubbed ‘Predictions 2025: Cybersecurity, Risk, And Privacy,’ Forrester’s report suggested breach-related class action costs will surpass the cost of regulatory fines by 50% in the coming year.
“Breach-related spending is no longer limited to regulatory fines and remediation costs,” the report warned.
Forrester drew attention to lawmakers by way of explaining this prediction, who have failed to strengthen cybersecurity requirements and legislation despite the increasing frequency, scale, and consequence of cyber incidents.
In lieu of stringent regulation, customers, staff, and shareholders have turned to litigation in search of damages, as well as to force companies into making improvements to their security risk management.
The implication for CISOs is stark, the study noted. Forrester predicts that execs could be asked to contribute towards organizational class action defense funds in 2025, ultimately pushing the associated costs of class actions past those associated with regulatory fines.
Data breach costs are rising
Financial exposure in litigation is “enormous,” the report claimed. By way of example, Forrester gestured to a class action involving T-Mobile which saw the firm agree to pay out $350 million.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The impetus for this lawsuit was a cyber attack that hit T-Mobile in 2021 and which saw users’ personal data breached. The mobile company also said that it would put $150 million into fortifying its cyber defenses.
A similar breach-related class action is currently being proposed against background checking service, National Public Data (NPD).
The breach at NPD - which the lawsuit claimed leaked the data of nearly three billion people - could force the firm into paying an unspecified amount of restitution for the consequences of the incident, which included invasion of privacy.
“Hundreds of cases are awaiting trial, including more than 100 surrounding the MOVEit vulnerability breach and 50 for the Change Healthcare cyber attack,” Forrester added.
George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.