Big cyber attacks on well-known brands like Mango, Jaguar Land Rover, Gucci, and British Airways have made headlines recently. But legal experts say the focus is shifting. Instead of just huge breaches making news, smaller cyber incidents are now also stirring up lawsuits and regulatory investigations.
Josh Mooney, who leads cyber and data privacy at the law firm Kennedys in the US, explained that even breaches affecting just tens of thousands of people are triggering legal action these days. A few years back, a data breach involving fewer than 20,000 individuals might not have led to any lawsuits. Now, those smaller incidents often lead to multiple class action suits filed in different courts.
Mooney said, “Two years ago, a breach of 700,000 people might have seen one or two lawsuits. Today, the same breach might result in six or more suits across the country.” This pattern is appearing for smaller breaches too.
When personal information is exposed in a breach, laws require companies to notify affected people and regulators. In the US, these laws are stricter and often mean companies have to make public announcements if they can’t reach those affected directly. This public disclosure often sparks more class action lawsuits.
Usually, multiple lawsuits from the same breach are combined into one case. The companies’ lawyers try to get the claims dismissed or limited early on, arguing there’s no real harm or just a possibility of future harm, which courts sometimes agree with. If the case moves forward, it leads to discovery and often settlement talks.
Added to this challenge is the global nature of many hacks. Data breaches that affect people in the EU or UK must meet tight reporting rules under GDPR, which are very different from US laws. This can confuse things because the same incident might count as a breach under one law but not another.
Insurers are watching these trends closely. More lawsuits on smaller breaches could mean higher costs for defending and settling claims, even for mid-sized companies.
Regulators also seem to be getting tougher. Offices like state attorneys general and health regulators have started enforcing privacy and breach laws more aggressively. Mooney advises companies to improve their cyber defenses now because once a breach happens, regulators will scrutinize how good your protections were at that time.
He pointed out, “Regulators won’t come knocking before a breach. But after one, they will look closely at your cybersecurity, and that’s something you can’t change after the fact.”
This new phase in cyber liability means even smaller companies need to pay attention. Breaches that used to fly under the radar are now drawing legal and regulatory heat, making strong cyber protections and quick, transparent responses more important than ever.