US breaches cost $10.22M — 2.3x the global average and 7.5x more than Brazil. Geography is one of the strongest cost predictors.
Most Expensive
$10.22M
United States
Least Expensive
$1.36M
Brazil
Global Average
$4.44M
Across 17 countries
Cost Range
7.5x
Between highest and lowest
IBM's 2025 report covers 17 countries and regions, revealing dramatic variation in breach costs that reflects differences in regulatory environment, litigation culture, labour costs, and customer expectations. The United States has been the most expensive country for data breaches for every year of IBM's study, driven by class action litigation, complex multi-state regulatory requirements, and the highest incident response labour costs globally. The 7.5x cost difference between the US ($10.22M) and Brazil ($1.36M) underscores how critical geographic context is when modelling breach impact.
Source: IBM Cost of a Data Breach Report 2025
| Country/Region | Avg Cost | Multiplier | YoY Change | Primary Regulation |
|---|---|---|---|---|
| United States | $10.22M | 2.3x | +9% | State-by-state |
| Middle East | $7.29M | 1.64x | +8% | Varies |
| Canada | $5.13M | 1.16x | +3% | PIPEDA |
| Germany | $4.85M | 1.09x | +2% | GDPR / BDSG |
| Japan | $4.53M | 1.02x | +1% | APPI |
| United Kingdom | $4.21M | 0.95x | -2% | UK GDPR / DPA |
| France | $4.08M | 0.92x | +4% | GDPR / CNIL |
| Italy | $3.86M | 0.87x | +1% | GDPR / Garante |
| South Korea | $3.62M | 0.82x | +5% | PIPA |
| Australia | $3.41M | 0.77x | -1% | NDB / Privacy Act |
| South Africa | $2.87M | 0.65x | +7% | POPIA |
| ASEAN | $2.71M | 0.61x | +3% | Varies |
| India | $2.35M | 0.53x | +6% | DPDP Act |
| Brazil | $1.36M | 0.31x | -4% | LGPD |
Regulatory environment: Countries with strict data protection regulations and active enforcement have higher breach costs. GDPR countries face fines up to 4% of global revenue or 20 million EUR, plus mandatory 72-hour notification. The US, despite lacking a federal privacy law, has the world's most complex regulatory landscape with all 50 states plus DC maintaining separate breach notification laws, each with different definitions, timelines, and penalties. This state-by-state compliance burden adds significant legal and administrative costs to every US breach.
Litigation culture: The United States has the most active class action litigation environment for data breaches. Almost every significant breach triggers multiple class action lawsuits, with settlements ranging from $30 million to $700 million for mega-breaches. By contrast, class action mechanisms are limited or non-existent in many countries, dramatically reducing post-breach legal exposure. European countries, while having strong regulatory penalties through GDPR, have less class action activity than the US.
Labour costs for remediation: The cost of incident response professionals varies enormously by market. US-based forensic investigators, breach response attorneys, and security consultants command rates of $300-$1,000 per hour, while comparable professionals in India or Brazil may charge $50-$200 per hour. Since forensic investigation and legal response are labour-intensive activities consuming hundreds to thousands of professional hours, this cost differential has a large impact on total breach cost. Organizations in high-cost markets should consider pre-negotiated retainer arrangements with IR firms to lock in rates before an incident occurs.
Customer churn expectations: Customer tolerance for data breaches varies by market. US and European consumers have the highest expectations for data protection and the greatest willingness to switch providers after a breach. In markets with fewer competitive alternatives or lower data privacy awareness, customer churn rates are lower, reducing the lost business component of breach cost. However, this is changing globally as data privacy awareness increases and privacy regulations expand.
Currency and purchasing power: IBM normalizes all costs to US dollars, but purchasing power parity means that the same dollar amount represents different real impacts in different markets. A $1.36M breach cost in Brazil represents a proportionally larger burden relative to typical Brazilian corporate revenues than a $4.85M breach cost in Germany. Organizations should consider breach cost relative to their market-specific revenue benchmarks rather than comparing raw dollar amounts across countries.
Source: IBM Cost of a Data Breach Report 2025, World Bank economic data
The General Data Protection Regulation (GDPR), enforceable since May 2018, has significantly impacted breach costs for organizations operating in the European Economic Area. The regulation's 72-hour notification requirement compresses the response timeline, often requiring expensive rapid mobilization of incident response resources. Fines up to 4% of global annual revenue or 20 million EUR (whichever is higher) create enormous regulatory exposure — Meta/Facebook's $1.6 billion fine in 2023 demonstrates that regulators are willing to impose near-maximum penalties for serious violations.
Cross-border breach complications add another cost layer. When a breach involves data subjects in multiple EU member states, the organization must navigate the "one-stop-shop" mechanism, identifying the lead supervisory authority and coordinating with concerned supervisory authorities in other affected states. This cross-border coordination extends timeline, increases legal complexity, and multiplies compliance costs. A multinational breach affecting customers in 10 EU countries requires far more legal and regulatory effort than a single-jurisdiction incident.
Despite the increase in regulatory costs, GDPR has also driven significant improvement in breach detection and response capabilities across European organizations. The 72-hour notification requirement forced companies to invest in detection infrastructure and incident response planning, leading to faster identification and containment of breaches. This investment in preparedness partially offsets the increased regulatory costs — European organizations now detect breaches significantly faster than they did before GDPR implementation.
For organizations subject to GDPR, understanding the full fine landscape is critical for breach cost planning. Visit gdprfine.com for a comprehensive database of GDPR fines and enforcement actions, including sector-specific analysis and penalty trend data.
The United States presents the world's most complex breach notification landscape, with all 50 states plus the District of Columbia maintaining separate breach notification laws. There is no federal data breach notification law, meaning organizations that experience a breach affecting customers in multiple states must comply with potentially dozens of different notification requirements simultaneously. This regulatory fragmentation is a primary driver of the US's $10.22M average breach cost.
California leads with the most comprehensive framework. SB 446 (effective January 2026) reduces the notification deadline to 30 days, the shortest of any state. Combined with the CCPA/CPRA, which imposes fines of $2,500-$7,500 per violation and grants consumers a private right of action for data breaches, California creates the highest per-state compliance burden for any US breach.
New York's SHIELD Act (2019) expanded the definition of private information and required businesses to implement "reasonable safeguards." Penalties of $5,000 per violation plus potential AG enforcement actions make New York another high-exposure state.
Texas expanded its notification requirements in 2025 with a 60-day deadline, mandatory AG notification for breaches affecting 250+ residents, and penalties of $100,000-$250,000 per breach. The state's AG has been increasingly active in enforcement.
For a complete mapping of all 50 state requirements, see our notification requirements page.