I was sipping my coffee this morning, watching steam curl out of the mug, when it hit me: lawsuits from cyber breaches are exploding.

Like, actual explosion levels of growth.

Yesterday, I told a CEO that breach-related litigation has doubled in the last 90 days—more than the entire year before.

His response? “Well, that’s just big companies, right?”

MGM-level stuff. Multi-million-dollar payouts. Headlines. Drama.

And that’s the problem right there.

Everyone thinks lawsuits are reserved for giants. The Amazons. The MGMs. The Equifaxes.

They’re wrong.

So I went digging. Wanted to see just how wrong they were.

Ever hear of Cohen Cleary, P.C.? Probably not. It’s an 11-attorney law firm. Small. Local.

They just settled for $150,000. Why? Because a hacker accessed 12,000 records. A little unauthorized access—nothing major, right? Wrong. The plaintiff claimed negligence. That’s legalese for: You had one job—protect the data—and you blew it. And guess what? They couldn’t defend themselves. They had to settle.

And I know what you’re thinking: “That doesn’t sound like much.”

But let’s do the math. That’s $150K plus three years of identity protection. What if only 20% of the victims enroll? At $150 per year? That’s $1.08 million. All for a breach at a small law firm. And what about the legal fees?

If lawyers—people who eat lawsuits for breakfast—can get slammed for weak cybersecurity, what do you think happens to you?

Here’s the message:

The Great Cyber Shakedown isn’t coming. It’s already here.

Hackers break in. Lawyers follow. And suddenly, you’re the one cutting checks.

Big business, small business—doesn’t matter. Everyone’s a target.

And if you can’t prove you did the work—if you don’t have documentation, evidence, and audit trails—guess who’s writing the check? You.

Here’s how to stop that from happening:

  1. Have a written incident response plan. Not a mental checklist. A real, documented plan.
  2. Test the plan. Tabletop it. Fire drill it. Make sure it works when the heat is on.
  3. Build a security program. Not just antivirus. A layered, standards-based system.
  4. Collect evidence. If it’s not documented, it didn’t happen.
  5. Train your team. And no, sending them a PDF doesn’t count. You need proof.

Because without evidence, you don’t have a defense. You have a disaster.

Want to know where you stand?

Get a Cyber Liability Assessment.

We’ll find the gaps—before the hackers or the lawyers do—and show you exactly what to fix.

Because ignorance won’t save you.

But evidence just might.