Litigation Trends Survey: Cybersecurity Risk Tops the Legal Agenda
5:24
author photo
By Cam Sivesind
Read more about the author
Fri | Jan 16, 2026 | 6:43 AM PST

Cybersecurity and data privacy have moved well beyond the IT function; they are now central legal, regulatory, and enterprise-risk concerns. According to Norton Rose Fulbright's 2026 Annual Litigation Trends Survey, cybersecurity exposure continues to escalate for U.S. organizations, even as overall litigation volumes show modest decline.

The findings reflect a reality cybersecurity leaders already recognize: breaches are no longer just technical failures. They trigger regulatory scrutiny, class actions, third-party risk claims, and board-level consequences—often simultaneously.

Cybersecurity litigation risk is rising faster than expected

The survey reveals that 38% of organizations experienced increased cybersecurity and data privacy dispute exposure in 2025, making it the largest single area of increased litigation risk, ahead of employment and labor disputes.

Notably, this increase exceeded what corporate counsel had predicted the year before—highlighting how quickly the threat landscape is shifting.

Cybersecurity is also the only dispute category where actual exposure outpaced expectations, underscoring the unpredictability of modern cyber risk and the accelerating sophistication of attackers.

For CISOs, this reinforces a critical message: incident response planning must now assume legal escalation as a default outcome, not a worst-case scenario.

While federal enforcement activity declined in 2025, 82% of respondents reported increased state-level enforcement as regulators stepped in to fill the gap.

This creates a fragmented compliance environment where organizations face overlapping—and sometimes conflicting—privacy, breach notification, and cybersecurity requirements.

The report warns that multijurisdictional enforcement is becoming the norm, especially following large data breaches that expose consumer or patient data across state lines.

Implication for security teams: technical controls alone are insufficient. Cyber programs must align closely with legal, compliance, and privacy teams to ensure defensibility before regulators—not just resilience against attackers.

"As more states develop, implement, and enforce cybersecurity and data privacy laws and regulations, organizations will face increasing pressure to enhance their practices," said Ji Won Kim, Partner at the firm. "Whether the risk is from a recent acquisition or a third-party provider in your supply chain, establishing thorough due diligence and remediation protocols is key to mitigating the broad scope of exposure."

AI is amplifying both threats and legal complexity

Artificial intelligence is emerging as a double-edged sword. While more than 60% of organizations now use customized generative or agentic AI tools, 59% of corporate counsel say managing litigation risk related to AI has already become a challenge.

From a cybersecurity perspective, AI is:

  • Increasing attacker sophistication and speed

  • Complicating data lineage, monitoring, and explainability

  • Introducing new legal questions around accountability and data governance

The survey identifies AI-driven attacker sophistication and AI-related data tracking challenges as major contributors to rising cyber and privacy exposure in the year ahead.

Cybersecurity incidents are increasingly followed by litigation. Cybersecurity and data privacy class actions rose year-over-year, with 40% of organizations involved in class actions reporting cyber-related claims, up from 32% the prior year.

At the same time, 77% of respondents expressed growing concern about "nuclear verdicts" exceeding $10 million, and 58% are worried about verdicts exceeding $100 million.

These outcomes are driving higher settlement demands, increased litigation costs, and more aggressive plaintiff strategies.

For CISOs, this translates into a stronger mandate to:

  • Demonstrate due diligence and reasonable security controls

  • Maintain auditable security governance

  • Document risk-based decision-making for boards and regulators

Industry-specific pressure points

The survey highlights sharp differences by sector:

  • Healthcare: 37% saw increased cybersecurity and privacy exposure, driven by ransomware, patient data theft, and regulatory penalties.

  • Energy: 44% reported increased cyber and data privacy exposure—the highest of any industry—as operational technology and critical infrastructure attacks rise.

  • Technology: A majority expect cyber incidents and data breaches to increase litigation exposure in the coming year.

The survey makes clear that cybersecurity leaders must think beyond prevention and detection. Key priorities include:

  • Integrate cybersecurity into enterprise risk and legal strategy rather than treating it as a standalone technical function.

  • Strengthen third-party risk management, as regulators increasingly scrutinize vendor and supply-chain exposure.

  • Prepare for post-incident litigation, including evidence preservation, breach documentation, and regulator engagement.

  • Reevaluate AI governance, focusing on data protection, explainability, and compliance readiness.

  • Communicate cyber risk in legal and financial terms to boards, executives, and insurers.
Tags: Cyber Law, Trends, Litigation,
Most Recent
Cyber Law

Litigation Trends Survey: Cybersecurity Risk Tops the Legal Agenda

Most Popular
Cyber Attacks

Can We Trust Cybersecurity Firms that Fall Victim to Cyber Attacks?

More Like This
GRC

Legal Zero-Days: How Old Laws Became a Novel Loss Generator

Comments