2024 was a year chock-full of data breaches and privacy violations. Many new data privacy and cybersecurity regulations were introduced (and became effective), and regulators sent a strong message to businesses that privacy must be at the forefront of their strategy and goals and that robust security controls are required to protect employee and consumer personal information. Plaintiffs also sent a strong message to businesses that breaches will likely result in class action lawsuits.

This year, financial settlements with regulators and data breach victims were particularly prominent. Here are the top data protection fines and settlements in the U.S. last year, according to Infosecurity’s 2024 report:

  • Meta’s $1.4 billion settlement with the Texas Attorney General for unlawful collection of biometric data in violation of the Texas Capture or Use of Biometric Identifier Act and The Deceptive Trade Practices Act (largest ever privacy settlement in the U.S.).
  • Lehigh Valley Health Network’s $65 million class action settlement after a data breach involving 600 patients and employees (accessed were addresses, email addresses, dates of birth, Social Security numbers, and passport information, as well as various medical data and some nude photos) (largest settlement on a per-patient basis for a healthcare ransomware breach case).
  • Marriott’s $52 million settlement with 50 U.S. states related to a multi-year data breach that affected over 131 million users of the Starwood guest reservation database (allegations were related to failure to comply with consumer protection laws, privacy laws, and data security standards).
  • 23andMe’s $30 million settlement agreement resulting from a class action against it for a data breach affecting ancestry data (these accounts were not protected by multi-factor authentication; 23andMe denied any wrongdoing in the settlement agreement and contends that the breach was a result of users’ reusing credentials across multiple websites).
  • T-Mobile’s $15.75 million settlement with the Federal Communications Commission (FCC) for several security incidents (2021, 2022, and 2023) that resulted in millions of consumers’ personal data being accessed by cyber criminals (T-Mobile also has to invest the same amount -$15.75 million – to update its cybersecurity practices and safeguards).
  • AT&T’s $13 million FCC settlement over its supply chain breach which led to cyber criminals’ exfiltration of customer personal information (AT&T agreed to update its data governance and supply chain integrity practices).

As we head into the new year, the landscape of data privacy laws in the U.S. will continue to change. Eight new consumer privacy laws will become effective throughout the year, and companies should be prepared for more rulemaking that could expand compliance obligations and enforcement.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.