Breach notification: $1-$3 per letter, $20-$80 per call.

Written notification by mail is required by most state breach-notification statutes when email notification is not available or not appropriate. The per-letter cost composition is: USPS first-class postage approximately $0.73 (2026 rate), envelope and printing $0.10-$0.25 (commercial-print bulk rate), letter content and address-printing services $0.30-$0.80 (varies by content complexity and personalisation), data-processing and list-management $0.20-$0.60 (legal-counsel oversight, verification, opt-out scrub), and project management overhead $0.30-$1.00 (apportioned across the notification batch).

Total per-letter cost runs $1.00 to $3.00 depending on volume, personalisation level, and complexity. At the low end, simple form-letter notification to a clean address list at scale runs close to $1.00. At the high end, breach-notification letters that include personalised account information (specific compromised data elements per individual), state-specific addendums for multi-state breaches, and registered or certified delivery for high-value affected populations can run above $3.00.

For a breach affecting 1 million individuals with mid-complexity notification requirements, the baseline letter cost is $1.5M to $2.0M. The cost is largely independent of the affected entity's size or sector, so a small-business breach with the same record count has the same letter cost as a large-enterprise breach.

Most state statutes permit email notification as a substitute for mail when the affected entity primarily communicates with the affected individual by email, when email is in the public record, or when email is the only available contact information. The per-email notification cost runs $0.02 to $0.10, dramatically lower than mail. For organisations with substantial email-relationship coverage of the affected population, email notification can reduce total notification cost by 80-95%.

The caveat is that email notification produces higher rates of recipient confusion and follow-up inquiry than mail. Email notification of a breach can be (and often is) mistaken for a phishing attempt, particularly when it directs the recipient to a domain other than the breached entity's primary domain. The result is elevated call-centre volume and inquiry processing cost that partially offsets the email-postage savings.

For multi-channel notification (email primary, mail backup for non-deliverable addresses, plus website posting for public awareness), the typical mix is $0.05 per email plus $1.50 per backup mail for the 10-15% of email addresses that bounce. Net cost per affected individual runs $0.20-$0.30 against the pure-mail baseline of $1-$3. The effective notification-cost savings of moving from pure-mail to multi-channel can be 70-90%, which has driven widespread adoption of email-primary notification.

Call-centre support for breach notification is typically structured as a dedicated toll-free line operated by a third-party vendor (Experian Data Breach Resolution, Kroll, Epiq, Verita, or similar). Per-call cost runs $20-$80 depending on call complexity, agent training requirements, and call duration. Simple FAQ-style calls (5-10 minutes) run at the low end. Complex calls requiring multi-step identity verification, account-status lookup, or escalation to a fraud specialist (15-30 minutes) run at the high end.

The call-volume forecast is the most difficult component of notification-cost budgeting. Typical inbound call rates for breach notification run 5% to 25% of notified individuals, with substantial variance driven by data sensitivity (SSN breaches drive higher call rates than email-only breaches), notification clarity (vague notifications drive more clarification calls than precise ones), and media attention (high-profile breaches drive higher call rates than below-the-fold disclosures). A 100,000-individual breach with median characteristics produces 10,000 to 25,000 calls and a call-centre cost of $200K-$2M.

Call-centre cost peaks in the first three weeks after notification and tapers materially after the first month, with residual call volume continuing for 6-12 months for major breaches. Contract structures typically include a baseline-volume commitment plus per-call overage rates, with the contract priced to be cost-effective at the median call-volume forecast.

For a multi-jurisdiction breach, the cost of regulator-filing legal work has grown significantly as the state privacy law landscape has expanded. A US-only breach affecting consumers in all 50 states plus DC requires 51 distinct breach notifications to state AG or similar regulator offices, each with its own format, content, and timing requirements. The legal counsel cost for the multi-jurisdiction filing piece typically runs $50K-$300K for a mid-market breach and $300K-$1M for a major breach.

For an international breach with EU exposure, additional cost flows through GDPR Article 33 notification to the lead supervisory authority (and frequently parallel notifications to multiple member-state DPAs where the one-stop-shop mechanism does not apply). UK ICO notification is separate from EU notification post-Brexit. APAC notifications to Japanese PPC, South Korean PIPC, Singaporean PDPC, and Australian OAIC add further cost. A truly global breach with notification across US states, EU, UK, and major APAC jurisdictions can run $1M-$3M just for the regulator-filing legal work.

The regulator-filing cost is largely fixed per jurisdiction rather than scaling with record count. A 1,000-record breach affecting consumers in 50 states has roughly the same multi-state filing cost as a 100,000-record breach in the same jurisdictions. This is why the per-record notification cost decreases sharply as record count grows: the fixed-jurisdictional component is amortised across more records.

The major breach-notification platform vendors publish indicative pricing or have it available through breach-response procurement processes. Approximate ranges for a typical mid-market breach (100,000 individuals, US-only, multi-state but not international):

Pricing varies materially by volume, complexity, contracting structure, and pre-negotiated retainer status. Many large enterprises maintain retainer relationships with one or more of these vendors to enable rapid mobilisation at pre-negotiated rates.