BakerHostetler Releases 2026 Data Security Incident Response Report: Familiar Threats, New Pressures

WASHINGTON, D.C.--(BUSINESS WIRE)--BakerHostetler today released its 12th annual Data Security Incident Response Report, drawing on the firm’s work guiding clients through more than 1,250 data security incidents in 2025. The report — the only one published by a law firm based on actual incident data — provides insights into cyberthreats, litigation exposure, regulatory enforcement and compliance risks.

The report — the only one published by a law firm based on actual incident data — provides insights into cyberthreats, litigation exposure, regulatory enforcement and compliance risks.

Share

Produced by BakerHostetler’s internationally recognized Digital Assets and Data Management Practice Group, the 2026 DSIR Report examines key incident‑response metrics, including network intrusion response timelines, ransomware and extortion payments, number of individuals notified, vendor‑related incidents, and frequency of regulatory inquiries and litigation. The findings offer organizations practical guidance to strengthen cybersecurity programs and improve incident‑response readiness in an increasingly complex threat environment. The DSIR Report also contains features on regulatory issues (health care, Securities and Exchange Commission, Federal Trade Commission, state attorneys general), emerging technology, AI and digital assets.

Report highlights and features

• Ransomware payments. The average initial demand spiked 70% to $4.2 million. The average payment was up 36% to $682,702. A new deep-dive feature plots the number of negotiation days and the percentage discount from the starting demand. Discounts in the 50%-75% range often took 20-60 days of negotiations.
• Lawsuits up. Last year, class actions were filed in 14% of incidents (up from 9% in 2024). A new feature shows the likelihood of a lawsuit being filed based on the number of individuals notified. Large entities (more than $5 billion in revenue) faced lawsuits even when fewer than 1,000 individuals were notified. Lawsuits were filed in 68 of 482 disclosed incidents in 2025, up from 51 of 518 in 2024.
• At 30%, phishing remained the leading cause of incidents. For network intrusions, the root cause was not found 34% of the time (unpatched vulnerability was next at 21%).
• Faster notification. Completing forensic investigations faster led to a three-day improvement in the time to notification. The cost of the largest investigations increased by more than 10% in 2025 compared with the previous year.
• Vendors were the cause of 25% of matters analyzed, underscoring persistent third‑party risk and highlighting the need for robust vendor management programs.
• AI tipping point. AI is showing up more often as a factor in incidents and is increasing the speed and scale of cyberattacks. Also increasing is the number of states enacting AI regulations.
• Health care remained the most affected sector (27%), followed by finance and insurance (18%) and business and professional services (15%).

Key quotes

“As a firm, our competitive advantage stems from the unique perspective we gain by managing incidents, litigation and regulatory investigations across entities of all sizes. It helps us provide clients with the data-driven clarity needed to navigate cyber risks of any nature,” said Theodore J. Kobus III, chair of BakerHostetler’s DADM Practice Group. “Likewise, the DSIR Report is a tool relied on by organizations for benchmarking and making decisions on managing risk.”

“We are proud that the DSIR Report has become a trusted resource. It is an investment of hundreds of hours each year to produce, but it is worth the effort. Looking back at the data gives us the ability to deliver clear and actionable advice during incidents, as part of building compliance programs and solving challenges related to data and technology,” said Craig Hoffman, co‑leader of BakerHostetler’s Digital Risk Advisory and Cybersecurity team.

Comprising more than 100 attorneys and technologists, BakerHostetler’s DADM Practice Group is a global leader in cybersecurity, privacy, data governance and emerging technologies. The group is consistently ranked by Chambers USA and Legal 500.

For more information, visit bakerlaw.com/DigitalAssetsDataManagement.

About BakerHostetler
BakerHostetler helps clients around the world address their most complex and critical business and regulatory issues. Our highly ranked attorneys deliver sophisticated counsel and outstanding client service. We have six core practice groups — Business, Digital Assets and Data Management, Intellectual Property, Labor and Employment, Litigation, and Tax — and more than 1,000 lawyers coast to coast. For more information, visit bakerlaw.com.