Data Breach Cost Estimator
Plug in your records exposed, sector, region and a couple of regulatory details, and get a sensible estimate of what a breach could cost. The per-record figures come from the IBM/Ponemon Cost of a Data Breach 2024 report, the regulatory fines from the headline GDPR and CCPA caps, and the range reflects the fact that no two breaches play out the same way.
Explain like I'm 5 (what even is this calculator?)
Imagine someone leaves the back door open and a load of customer records walk out. The bill that lands afterwards has three parts: clean-up costs (notification, credit monitoring, lawyers, lost customers), a fine from the regulator if you fall under one, and the slow drag of reputational damage. This calculator adds those up using public benchmarks, so you get a planning number rather than a wishful one.
Estimate your exposure
Fill in the form and press the button to see the estimate.
Direct cost (response, notification, churn):
Regulatory fine estimate:
Total exposure:
Realistic range:
Effective per-record cost:
Prove it
The direct cost is records times the per-record figure for your sector, multiplied by the region and sensitivity factors, with the 10% reduction applied if the breach was reported within 72 hours. The regulatory fine is added on top, and the total is then bracketed by a 0.7x low and 1.3x high to give a planning range.
Per-record figures: IBM/Ponemon Cost of a Data Breach 2024. GDPR cap: 4% of global annual revenue. CCPA: up to $7,500 per record for intentional violations. The range reflects real-world variance, not statistical uncertainty.
Save this calculator: press Ctrl + D to bookmark it in your browser.
Why "what would a breach cost us" is a harder question than it should be
The real number is never one number. A breach costs you a wedge of incident response, a wedge of legal advice, a wedge of notification and credit monitoring for affected customers, a wedge of churn from the customers who quietly leave anyway, and, depending on which regulator you fall under, a fine that can dwarf all of the above. IBM and Ponemon publish a cost-per-record figure every year because nobody else has the appetite to chase down every line item across thousands of breaches, and the calculator above is built on top of their 2024 numbers because they are the closest thing the industry has to a public benchmark.
What the per-record figure actually contains
It is not just lawyers. The IBM number bundles four broad categories: detection and escalation (forensics, audit, crisis comms), notification (letters, call centres, regulator filings), post-breach response (credit monitoring, identity protection, customer support uplift) and lost business (churn, downtime, reputation damage). Healthcare comes in highest at $408 per record because health data is regulated to the eyeballs, the litigation tail is long, and the systems involved are usually older than the people running them. Public sector is lowest, partly because customer churn is not really a thing when your "customers" are the citizens of a country.
Why GDPR scales the fine to your revenue, and CCPA scales it to your records
GDPR was written to bite multinationals: a flat fine would be a rounding error for a tech giant, but 4% of global annual turnover gets attention in the boardroom. The cap is rarely the actual fine that lands, but it is the right number to plan against. CCPA went the other way: a per-record statutory damages figure that scales linearly with the size of the leak. A breach of a million records exposes you to a theoretical $7.5 billion in CCPA damages, which is why the headline figures in the press are so eye-watering. Real settlements rarely hit the cap, but they often hit a meaningful fraction of it, and class action lawyers will anchor every negotiation on the cap.
The 72-hour reporting reduction
Both GDPR and a growing list of US state laws expect rapid disclosure: GDPR specifies 72 hours, the SEC has its own four-day rule for material breaches at listed companies, and other jurisdictions are converging on similar windows. The IBM data shows that breaches contained quickly cost noticeably less, both because the response is shorter and because regulators tend to be less punitive when they are not reading about it in the press first. The flat 10% reduction is a rough planning figure rather than a guaranteed saving, but the direction is the right one: fast and honest beats slow and hopeful, every time.
What this calculator deliberately does not try to model
Stock price impact, executive turnover, the cost of upgrading the security programme afterwards, or the long tail of reputational damage that creeps into customer acquisition costs over the following two years. Those are real, but they are case-by-case and not amenable to a public benchmark. Treat the total here as the floor: the bill that lands in the first twelve months. Anything else is on top.
Related calculators
Cost is the worst-case bill. These cover risk and the levers in front of it.
Frequently asked questions
Where do the per-record cost figures come from?
From the IBM/Ponemon Cost of a Data Breach 2024 report, which has been the closest thing the industry has to a public benchmark for two decades. Healthcare leads at $408, financial at $295, tech at $244. The figures are USD averages, so they are a starting point, not a quote.
Why is the GDPR fine shown as 4% of annual revenue?
Because that is the headline GDPR ceiling: up to 4% of global annual turnover, or 20 million euros, whichever is higher. Real-world fines often land well below the cap, but the cap is the right figure to plan against.
Why does the calculator reduce direct cost when a breach is reported within 72 hours?
IBM's data has consistently shown that breaches contained within roughly three days cost less, both in direct response and in regulator goodwill. We use a flat 10% reduction as a planning estimate, which lines up with the gap between fast and slow responders in the 2024 report.
Is the CCPA figure of $7,500 per record realistic?
It is the statutory ceiling for intentional violations and the figure most class-action complaints anchor on. Real settlements often land lower, but the cap is the right planning number because it is what plaintiffs' lawyers will negotiate against.
Why is the total shown as a range?
Because every breach is different. Two companies with identical records exposed will pay very different amounts depending on litigation, churn and regulator mood. The 0.7x to 1.3x range reflects that real-world variance.