Data breach cost estimator
Get a cost range for a data breach — covering regulatory fines, notification, legal, remediation, and business impact — based on your exposure profile.
Enter the number of records at risk, what type of data they contain, your industry, which regulatory regime applies, and how quickly a breach would typically be detected. The estimator produces a low and high cost range across five cost components.
Data breach cost estimator inputs and results
How this estimator works
Per-record operational costs are benchmarked against IBM's Cost of a Data Breach Report and vary by data type — health records carry a much higher per-record cost than basic contact information, reflecting stricter notification requirements, the higher value of health data to attackers, and the greater remediation burden on affected individuals. An industry multiplier is applied on top: healthcare and financial services consistently run above the cross-industry average due to regulatory complexity and higher reputational stakes.
Regulatory fines are estimated separately as a per-record range based on the applicable jurisdiction and data type, then added to the operational cost. GDPR fines are capped at €20M or 4% of annual global turnover — whichever is higher — which can significantly limit per-record fine amounts for large companies at scale. HIPAA fines apply only to protected health information and are capped annually per violation category. These caps are not modelled here, so the high-end fine estimate may overstate exposure for very large record counts.
Detection and containment speed is applied as a cost multiplier across all components. IBM's research consistently shows that breaches contained in under 30 days cost materially less than those that run longer — both because the exposure window is smaller and because faster containment typically means better-prepared incident response, which reduces legal and remediation costs downstream.
About this tool
This estimator produces a cost range for a data breach based on five inputs: number of records exposed, type of data, industry, applicable regulatory jurisdiction, and how quickly the breach was detected and contained. Outputs are split into operational costs (notification, legal, forensic investigation, customer remediation, and business impact) and a separate regulatory fine estimate. Per-record cost benchmarks are derived from IBM Cost of a Data Breach Report data. Results are illustrative order-of-magnitude estimates, not actuarial calculations — actual costs vary significantly based on specific facts of an incident.
Frequently asked questions
How accurate are these estimates?
These are benchmark-based order-of-magnitude estimates, not actuarial calculations. They are calibrated against IBM's annual Cost of a Data Breach Report and publicly disclosed breach settlements, but actual costs for any specific incident vary significantly depending on the details — how the breach happened, how quickly it was disclosed, whether affected individuals suffer actual harm, and how effectively the response is handled. Treat this as a planning tool for understanding exposure magnitude, not a precise forecast.
What's not included in this estimate?
Stock price impact and shareholder litigation, third-party liability if the breach involves a vendor's data, cyber insurance premiums changes, D&O claims, and long-term revenue impact from permanent customer loss. These are real costs but too fact-specific to estimate from five inputs. The tool focuses on the direct, first-party costs that apply to most breaches.
Why does industry matter so much?
Healthcare and financial services face stricter notification requirements, higher regulatory fine risk, and bear larger reputational costs when customer trust is central to the business model. IBM's data consistently shows healthcare breach costs running at roughly twice the cross-industry average — partly due to HIPAA, and partly because patients have fewer alternatives than, say, retail shoppers who can just use a different store.
What counts as detection and containment speed?
The time from when a breach first occurred to when it is fully contained — not just discovered. IBM's research consistently shows that breaches identified and contained in under 30 days cost significantly less than those that run for months. The difference comes from reduced data exposure volume, lower legal and notification costs, and better control of the public narrative.
Does encryption reduce the cost?
Yes, meaningfully. Several GDPR data protection authorities treat encryption as a strong mitigating factor that can reduce or eliminate the fine for accidental exposure, and some jurisdictions exempt properly encrypted breaches from public notification requirements entirely. This tool doesn't model encryption as a separate input, but if your data at rest is encrypted, the low end of the regulatory fine range is the more applicable estimate.