BakerHostetler Launches 2025 Data Security Incident Response Report

BakerHostetler presents its 11th annual Data Security Incident Response Report —- the only law firm report of its kind — which provides valuable insights and statistics drawn from the firm’s experience guiding clients through more than 1,250 data security incidents in 2024

WASHINGTON–(BUSINESS WIRE)–BakerHostetler’s internationally recognized Digital Assets and Data Management Practice Group released its 2025 Data Security Incident Response Report, which provides insight and analysis from more than 1,250 data security incidents managed by the firm this past year. The 11th edition of the report — a one-of-a-kind publication from a law firm — features a deep dive into critical components of security incidents (e.g., response timeline, average ransom payment amount, frequency of litigation) as well as an examination of trends in litigation, privacy, artificial intelligence, web tracking, the regulatory landscape and more. It provides organizations around the globe with metrics to make data-driven decisions before, during and after security incidents.

Key takeaways:

• Companies are starting to win the battle against ransomware. Successful attacks are fewer. Time to restore is faster. Payments are lower.
• Forensic investigation costs dropped dramatically, marking a three-year low and a 30% reduction. In just the past two years, the average forensic costs for the 20 largest network intrusion matters declined from $550,000 to $273,000.
• Less malware is being used. Use of compromised credentials is more prevalent. So identity access management and access controls are even more important.
• Post-data breach class action filing frequency was slightly less than the year before (lawsuits were filed after 51 out of 518 disclosed incidents compared with 58 out of 493 disclosed incidents in 2023). This was the first year in the past five without an increase.
• Wire fraud impact grew. The total amount of fraudulent transfers grew by over 300%, from $35 million in 2023 to $109 million in 2024. The average fraudulent wire transfer was over $1 million.
• Health care continued to be the industry with the most incidents (36%).

Key quote

“It is correct but also misleading to say that the cybersecurity risk landscape is dynamic. New threats and variations on old schemes emerge, but many of the underlying tactics and methods have not changed in years. We produce the DSIR Report to illustrate nuances that make a difference in understanding the risk landscape (both likelihood and impact) and share insights from the full suite of advisory services the firm provides across the entire data and technology life cycle,” said Theodore J. Kobus III, chair of BakerHostetler’s DADM Practice Group. “We are proud that the report has become a must-read resource for organizations worldwide as they develop privacy and cybersecurity strategies to manage the risks associated with data.”

Ransomware impact less severe

It is rare that our clients experience more than one ransomware attack. After more than five years of attacks, many organizations have experienced one and learned the lessons to prevent a second. Law enforcement continues to be effective at disrupting the operations of ransomware groups. The report shows that the most active groups rarely remain at the top for more than a year. Organizations are more resilient. With better backup strategies, organizations rarely need to pay for a decryptor. More often, they are paying to prevent publication of stolen data; on average, the amount of such payments is lower than when a decryptor is needed. The average ransom paid dropped 33% in 2024 to $501,388 (down from $747,651 in 2023).

Forensic investigation costs decreased significantly

Forensic investigation costs continue to drop, declining 30% in 2024 and marking a three-year low. Key factors driving down costs are preexisting Endpoint Detection and Response Coverage, triage collection tools, virtualization, wider use of SIEMs and a mature industry that has developed efficiencies (e.g., low-flat-fee approaches for common matters like email access events).

Data breach litigation trended (slightly) downward

Reversing course, data breach litigation decreased in 2024 for the first time, with 51 incidents (out of 518 disclosed incidents) resulting in one or more lawsuits (compared with 58 out of 493 disclosed incidents in 2023).

Privacy statute lawsuits also slowed

Website privacy lawsuits, which exploded at the end of 2022 and beginning of 2023, slowed in 2024. And website privacy case settlements saw an uptick. As the report states: “This may be a function of the sheer number of cases that were initially filed and some litigation fatigue from the plaintiffs’ bar.”

Fraudulent fund transfers skyrocket

The total amount of fraudulent fund transfers more than tripled from 2023 to 2024 — increasing from $35 million to $109 million. These include successfully diverted wires, direct deposits and ACH payments. The average fraudulent transfer amount also surged from $430,445 in 2023 to $1,256,797 in 2024. The top two industries targeted were business and professional services and finance and insurance, with just over 50% of the wire fraud matters affecting those two industries.

The median time from initial account access to discovery of the fraudulent fund transfer was significantly higher when compared with all incidents generally (18 days compared with three days). This lag in discovery significantly impacts the ability to recover funds.

Health care remains a target

The health care sector (including biotech and pharma) accounted for 36% of the incidents tracked by the DSIR Report — health care has been the industry with the most incidents for all 11 years of the report. Health care also had the highest average ransom paid of any industry, at $847,875.

Key quote

“Compromise response metrics enable organizations to cut through the noise and confusion to identify risk-based measures to enhance their incident response preparedness level and mature their security program,” said Craig Hoffman, co-leader of BakerHostetler’s national Digital Risk Advisory and Cybersecurity team.

BakerHostetler’s DADM Practice Group — made up of more than 100 attorneys and technologists — unites key service offerings and technologies intersecting with the life cycle of data. A globally recognized leader, the group boasts a roster that includes attorneys who have practiced in this space for more than two decades, former federal prosecutors, veteran in-house counsel and past government agency leaders. With eight top-tier rankings by Chambers USA and Legal 500, the DADM Practice Group is considered a powerhouse for cybersecurity, privacy, advertising, data governance and emerging technology matters. For more information, visit bakerlaw.com/DigitalAssetsDataManagement. Connect with us on LinkedIn at @BakerHostetler, @TedKobus and @CraigHoffman or on the social platform X at @BakerHostetler.

About BakerHostetler

BakerHostetler helps clients around the world address their most complex and critical business and regulatory issues. Our highly ranked attorneys deliver sophisticated counsel and outstanding client service. We have six core practice groups — Business, Digital Assets and Data Management, Intellectual Property, Labor and Employment, Litigation, and Tax — and more than 1,000 lawyers. For more information, visit bakerlaw.com.

Contacts

Courtney B. Fletcher

202-861-1514

[email protected]

John Garger

516-405-3113

[email protected]