2024 was a year chock-full of data breaches and privacy violations. Many new data privacy and cybersecurity regulations were introduced (and became effective), and regulators sent a strong message to businesses that privacy must be at the forefront of their strategy and goals and that robust security controls are required to protect employee and consumer personal information. Plaintiffs also sent a strong message to businesses that breaches will likely result in class action lawsuits.

This year, financial settlements with regulators and data breach victims were particularly prominent. Here are the top data protection fines and settlements in the U.S. last year, according to Infosecurity’s 2024 report:

• Meta’s $1.4 billion settlement with the Texas Attorney General for unlawful collection of biometric data in violation of the Texas Capture or Use of Biometric Identifier Act and The Deceptive Trade Practices Act (largest ever privacy settlement in the U.S.).
• Lehigh Valley Health Network’s $65 million class action settlement after a data breach involving 600 patients and employees (accessed were addresses, email addresses, dates of birth, Social Security numbers, and passport information, as well as various medical data and some nude photos) (largest settlement on a per-patient basis for a healthcare ransomware breach case).
• Marriott’s $52 million settlement with 50 U.S. states related to a multi-year data breach that affected over 131 million users of the Starwood guest reservation database (allegations were related to failure to comply with consumer protection laws, privacy laws, and data security standards).
• 23andMe’s $30 million settlement agreement resulting from a class action against it for a data breach affecting ancestry data (these accounts were not protected by multi-factor authentication; 23andMe denied any wrongdoing in the settlement agreement and contends that the breach was a result of users’ reusing credentials across multiple websites).
• T-Mobile’s $15.75 million settlement with the Federal Communications Commission (FCC) for several security incidents (2021, 2022, and 2023) that resulted in millions of consumers’ personal data being accessed by cyber criminals (T-Mobile also has to invest the same amount -$15.75 million – to update its cybersecurity practices and safeguards).
• AT&T’s $13 million FCC settlement over its supply chain breach which led to cyber criminals’ exfiltration of customer personal information (AT&T agreed to update its data governance and supply chain integrity practices).

As we head into the new year, the landscape of data privacy laws in the U.S. will continue to change. Eight new consumer privacy laws will become effective throughout the year, and companies should be prepared for more rulemaking that could expand compliance obligations and enforcement.