What is the average cost of a data breach?

According to IBM's Cost of a Data Breach Report 2024, the global average cost of a data breach is $4.88 million — up from $4.45 million in 2023. This is the highest figure ever recorded in the report's 19-year history.

Which industry has the highest data breach cost?

Healthcare has the highest per-record breach cost at $10.93 per record, followed by financial services at $5.97 per record. Healthcare has held the top position for 14 consecutive years due to highly sensitive data and strict regulatory requirements.

How much does an incident response team save in a data breach?

IBM's 2024 report found that organizations with a dedicated incident response team save an average of $2.66 million compared to those without one. AI-based security tools save $1.76 million on average.

How long does it take to contain a data breach?

The global average time to identify and contain a data breach is 258 days (194 days to identify + 64 days to contain). Breaches contained in under 200 days cost $3.93M on average vs $4.95M for breaches taking over 200 days.

What factors most reduce data breach costs?

The top cost-reducing factors from IBM 2024 are: incident response team (-$2.66M), AI and automation in security (-$1.76M), employee training (-$1.5M), encryption (-$360K), and DevSecOps approach (-$249K).

Data Breach Notification Requirements: Laws by Country & State (2026)

Fastest Deadline

72 hours

GDPR / UK GDPR

US States

50 + DC

All have notification laws

Max GDPR Fine

4% revenue

Or 20M EUR

Notification Cost

6% of total

IBM breakdown category

Global Notification Framework Comparison

Data breach notification laws exist in over 120 countries, but timelines, penalties, and triggers vary dramatically. The European Union's GDPR set the global standard with its 72-hour notification requirement, which has been adopted by the UK, South Korea, and Singapore. Other jurisdictions use vaguer language like "as soon as feasible" or "reasonable time," creating interpretation challenges for multinational organizations. Understanding these requirements is essential for incident response planning — you cannot determine your notification obligations during a crisis if you have not mapped them in advance.

Jurisdiction	Deadline	Authority	Max Fine	Trigger
European Union (GDPR)	72 hours	Lead supervisory authority	4% global revenue or 20M EUR	Risk to rights and freedoms
United Kingdom (UK GDPR)	72 hours	ICO	17.5M GBP or 4% revenue	Risk to rights and freedoms
United States (Federal)	No federal law	State-by-state	Varies by state	Varies by state
Canada (PIPEDA)	As soon as feasible	Privacy Commissioner	$100K CAD per violation	Real risk of significant harm
Australia (NDB Scheme)	30 days	OAIC	$50M AUD	Likely to result in serious harm
Brazil (LGPD)	Reasonable time	ANPD	2% revenue or $50M BRL	Risk or damage to data subjects
Japan (APPI)	Promptly (3-5 days guidance)	PPC	$1M JPY per violation	Leakage of personal data
South Korea (PIPA)	72 hours	PIPC	3% related revenue	Leakage of personal data
India (DPDP Act 2023)	Without unreasonable delay	Data Protection Board	250 Crore INR (~$30M)	Personal data breach
Singapore (PDPA)	3 days	PDPC	$1M SGD or 10% revenue	Significant harm or scale

Source: National legislation, regulatory guidance. Last verified: April 2026.

US State Notification Requirements

The United States has no federal data breach notification law. Instead, all 50 states plus the District of Columbia maintain separate breach notification statutes, each with different definitions of personal information, notification deadlines, AG reporting requirements, and penalties. This fragmentation means that a breach affecting customers in multiple states requires simultaneous compliance with potentially dozens of different legal frameworks — a primary driver of the US's $10.22M average breach cost. Below are 15 key states that represent the range of requirements; the remaining 35+ states follow similar patterns.

State	Deadline	AG Notification	Penalty	Notes
California	30 days (SB 446, Jan 2026)	Yes (500+ records)	$2,500-$7,500/violation (CCPA)	Most comprehensive. CCPA/CPRA rights.
New York	Without unreasonable delay	Yes	$5,000/violation (SHIELD Act)	SHIELD Act expanded in 2019.
Texas	60 days	Yes (250+ residents)	$100-$250K/breach	Expanded notification requirements 2025.
Florida	30 days	Yes (500+ individuals)	$1K/day ($500K max)	One of the shortest deadlines.
Illinois	Without unreasonable delay	Yes	AG enforcement	BIPA biometric data law is separate.
Virginia	60 days	Yes	$150K/violation (VCDPA)	Consumer Data Protection Act 2023.
Colorado	30 days	Yes	$20K/violation	Colorado Privacy Act 2023.
Connecticut	60 days	Yes	$5K/violation	Connecticut Data Privacy Act 2023.
Massachusetts	As soon as practicable	Yes	$5K/violation	201 CMR 17.00 data security regs.
Washington	30 days	Yes (500+ residents)	$25K/violation	My Health My Data Act 2024.
Pennsylvania	Without unreasonable delay	Yes	$1K-$5K/day	Breach of Personally Identifiable Info Act.
Ohio	45 days	Yes	AG enforcement	Data Protection Act safe harbor.
Georgia	Without unreasonable delay	No specific requirement	$AG enforcement	Relatively limited scope.
New Jersey	Without unreasonable delay	Yes	$10K/violation	Expanded PI definition 2024.
Oregon	45 days	Yes (250+ residents)	$25K/violation	Consumer Privacy Act 2024.

Source: State legislation, National Conference of State Legislatures (NCSL)

What Triggers Notification

Notification triggers vary significantly across jurisdictions, and understanding these differences is critical for determining your obligations. The definition of "personal information" that triggers notification ranges from narrow (name + SSN or financial account number) to broad (any data that could identify an individual). GDPR uses the broadest definition: any data relating to an identified or identifiable natural person.

Encryption safe harbour: Most US state laws and GDPR include an encryption exemption — if the breached data was encrypted and the encryption key was not compromised, notification is not required. This creates a powerful incentive for encryption at rest and in transit, as it effectively eliminates the notification cost category (6% of total breach cost according to IBM) for encrypted data. However, the exemption typically requires demonstrating that the encryption met industry standards (AES-256 or equivalent) and that the key management was adequate.

Risk-of-harm thresholds: Some jurisdictions require notification only when the breach poses a "real risk of significant harm" (Canada) or creates a "risk to rights and freedoms" (GDPR). This risk-based approach allows organizations to avoid notification for low-risk incidents (e.g., encrypted laptop lost but not accessed). However, risk assessment during an active incident is challenging, and regulators have penalized organizations that used risk assessments to avoid notification when the risk was later deemed significant. The safe approach is to err on the side of notification.

Discovery vs awareness triggers: A critical distinction is when the notification clock starts. Most laws start the countdown from "discovery" or "awareness" of the breach, not from when the breach occurred. This means the clock starts when your organization becomes aware of the breach, regardless of how long the breach has been active. Marriott's breach was active for four years before discovery — the notification obligations were triggered by discovery in 2018, not by the initial compromise in 2014. Organizations must have monitoring and detection capabilities to trigger the discovery clock as early as possible.

The Cost of Notification

IBM's cost breakdown attributes 6% of total breach cost to notification — approximately $267,000 for a breach at the $4.44M global average. However, this percentage can be much higher for breaches affecting large numbers of individuals, where per-person costs multiply across millions of records. The major notification cost components include:

Individual notification letters/emails$1-$3/person

Credit monitoring provision (typically 12-24 months)$10-$30/person/year

Call centre setup and staffing$50K-$200K

Regulatory filings (per jurisdiction)$5K-$25K each

Legal review of notifications$20K-$100K

For a breach affecting 1 million individuals, notification and credit monitoring alone can cost $10-$33 million — far exceeding the 6% IBM average because mega-breaches drive the per-person cost multiplier. This is why large-scale breaches like Change Healthcare (190M records) and National Public Data (2.9B records) generate such extreme costs: the per-person notification obligation scales linearly regardless of organizational size.

Source: IBM Cost of a Data Breach Report 2025, industry pricing benchmarks

Penalties for Non-Compliance or Late Notification

Failing to comply with notification requirements — either by not notifying at all or by notifying late — carries severe penalties that compound already-substantial breach costs. Regulators have become increasingly aggressive in penalizing delayed or inadequate notification, viewing it as a separate violation from the breach itself.

GDPR

Up to 4% global revenue or 20M EUR. The 72-hour clock is strictly enforced. British Airways was fined 20M GBP (reduced from 183M GBP) partly for delayed notification.

HIPAA

$137-$68,928 per violation, maximum $2M/year per violation category. OCR has settled for $4.75M+ for failure to notify within the 60-day requirement.

CCPA/CPRA

$2,500-$7,500 per violation. With thousands or millions of affected individuals, penalties compound rapidly. Also grants consumers private right of action for breaches.

State AG Enforcement

Multi-state AG coalitions have secured settlements of $18.5M+ (Target), $39.5M (T-Mobile) for breach notification failures. AG offices are increasingly resourced for these actions.

The lesson is clear: timely and complete notification is not optional. Organizations that attempt to minimize or delay notification consistently face more severe regulatory action, larger class action settlements, and greater reputational damage than those that notify promptly and transparently. Uber's $148M settlement for concealing its 2016 breach (paying the attacker $100K to delete data rather than notifying) demonstrates the extreme cost of attempted cover-ups versus transparent disclosure.

Frequently Asked Questions

Notification deadlines vary dramatically by jurisdiction. GDPR and UK GDPR require notification to the supervisory authority within 72 hours. Singapore requires 3 days. Australia allows 30 days. California's SB 446 (effective January 2026) requires 30 days. Many US states use language like 'without unreasonable delay' or 'as soon as practicable' without specifying exact timeframes. Texas requires 60 days, Ohio 45 days. For organizations operating across multiple jurisdictions, the shortest applicable deadline effectively sets the timeline — you cannot wait for a 60-day state deadline if you also have a 72-hour GDPR obligation for the same breach.

GDPR requires organizations to notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in risk to individuals' rights and freedoms. If notification to individuals is required (when the breach is likely to result in high risk), it must be made 'without undue delay.' The notification must include: the nature of the breach and approximate number of affected individuals, contact details for the DPO, likely consequences of the breach, and measures taken or proposed to address it. Fines for failure to notify can reach 4% of global annual revenue or 20 million EUR.

All 50 US states plus the District of Columbia have data breach notification laws. Key variations include: notification deadline (ranges from 30 days in California and Florida to 'without unreasonable delay' in many states, to 60 days in Texas and Virginia), AG notification threshold (some require AG notification for any breach, others only above certain record counts), penalty structure (ranges from AG enforcement only to $7,500/violation in California), and definition of personal information (varies from narrow SSN/financial data to broad PII definitions). California, New York, Texas, and Florida have the most impactful requirements. The absence of federal preemption means organizations must track and comply with every applicable state law.

Failure to report a data breach carries severe consequences across multiple dimensions. Regulatory penalties can be enormous: GDPR fines up to 4% of global revenue, HIPAA penalties of $137-$68,928 per violation with a $2M/year cap, and CCPA fines of $2,500-$7,500 per violation. Beyond fines, non-notification or delayed notification consistently results in larger class action settlements (Uber paid $148M for concealing its 2016 breach), more aggressive regulatory scrutiny going forward, criminal liability in some jurisdictions (Germany, for example, can impose criminal penalties for intentional failure to notify), and devastating reputational damage when the cover-up is eventually discovered. The cost of timely, transparent notification is almost always lower than the cost of non-compliance.

Data Breach Notification Requirements