Data Breach Cost by Company Size
Estimate a breach by company size and see why a smaller business faces a higher cost per record than a larger one hit by the same incident. Set your size bracket, industry, the number of records and the data type; the model adds a fixed breach-response cost to a per-record variable cost, both of which depend on size. The comparison table holds your records fixed across all three brackets so the diseconomy of scale is plain to see. Numbers update as you type. Benchmarks as of Jun 25, 2026 — sources; key figures are editable.
The same breach, across all three size brackets
| Company size | Expected cost | Cost per record |
|---|---|---|
| Micro (1–50 employees) | $2,722,500 | $109 |
| Small (51–250 employees) | $2,508,750 | $100 |
| Mid-market (251–1,000) | $2,345,000 | $94 |
Notice the cost per record falls as the company gets larger, even though the records are identical — that is the diseconomy of scale a small business faces.
Expected cost = Fbase(size) + records × veff
veff = base variable cost/record (industry) × fdata(data type) × fsize(size)
Cost per record = expected cost ÷ records · Range = expected × {0.6, 1.0, 1.7}
The fixed cost Fbase and the size factor fsize are both larger for smaller companies — the source of the diseconomy.
How it works
Company size changes a breach's cost in two ways, and this calculator models both. First, there is a fixed cost of responding to any breach — engaging forensic investigators, retaining breach counsel, running a crisis-management process — that you incur almost regardless of how many records were exposed. A micro business pays a fixed floor of $90,000, a mid-market one $320,000; the larger figure reflects a bigger, more complex organization, but it is spread over a far larger business. Second, there is a per-record variable cost that also carries a size multiplier (fsize), because smaller organizations tend to have weaker processes, less leverage with vendors and less in-house expertise, all of which push up the cost of handling each affected record.
The crucial consequence is the diseconomy of scale: hold the breach itself constant — same records, same industry, same data type — and the cost per record falls as the company grows. It is not that a larger firm's total is smaller (often it is larger), but that the fixed response cost is divided across more records and the size multiplier shrinks. For a small business, that fixed floor is the dominant term in a small breach, which is exactly why the per-record figure looks alarmingly high and why a flat industry average (which is taken across breaches of every size) understates the true small-business burden. The comparison table above demonstrates this directly: the same 25,000 records cost $109 per record at micro size but only $94 per record at mid-market.
The variable cost itself is built from your industry and your data type. The industry sets a base variable cost per record — healthcare highest, the public sector lowest — and the data type applies a sensitivity multiplier, so health data (PHI) and financial data cost more per record than ordinary personal data. Multiplying the industry base by the data-type factor and the size factor gives the effective per-record cost (veff); multiply that by your record count and add the fixed floor, and you have the expected total. The result is shown with a range — optimistic and pessimistic bands at ×0.6 and ×1.7 — to reflect how widely real outcomes vary.
This tool deliberately strips the estimator down to the size question. If you also want to credit the security controls you have in place, see the full data breach cost estimator, which applies the mitigation factors IBM measured. To explore the per-record figure on its own, use the cost-per-record calculator; for the headline averages by sector, the cost-by-industry reference. Every coefficient used here is listed, dated and linked to its source on the methodology page.
A worked example
Take the default: a Micro (1–50 employees) healthcare business holding 25,000 health data (phi) records.
- Effective per-record cost veff = $60 (healthcare base) × 1.35 (PHI) × 1.3 (micro) = $105.30
- Variable total = 25,000 × $105.30 = $2,632,500
- Plus fixed cost Fbase(micro) = $90,000
- Expected cost = $90,000 + $2,632,500 = $2,722,500 (≈ $109 per record)
Now hold those 25,000 records fixed and move the size up. At small size the per-record cost falls to $100, and at mid-market to $94 — a drop of 14% from micro to mid for an identical breach. That gap is the diseconomy of scale in dollars. To put numbers on the controls that would lower any of these figures, use the full estimator; to read the small-business case in plain English, see the true cost of a breach for a small business.
Frequently asked questions
Why do smaller companies pay more per record for a data breach?
Because a breach has a large fixed cost — forensics, legal counsel, crisis management — that you pay almost regardless of how many records were exposed. A small business spreads that fixed cost over fewer records, so its cost per record is higher. The model also applies a size factor: a micro business carries a per-record variable cost 30% above a mid-market one. The table above makes the diseconomy visible.
How much does a data breach cost a small business?
For the default profile here — a micro (1–50 employee) healthcare provider with 25,000 patient records — the modeled expected cost is $2.72M (about $109 per record), in a range of $1.63M to $4.63M. Change the size, industry, records and data type above to fit your business.
How is company size measured here?
By headcount band: micro (1–50 employees), small (51–250) and mid-market (251–1,000). Each band sets a fixed breach-response cost and a per-record size multiplier. If you are larger than mid-market, the per-record economics keep improving — but this site is built for small and mid-sized businesses, where the diseconomy of scale bites hardest.
Does this include regulatory fines?
No. The figure is the operational breach cost. Statutory penalty exposure under HIPAA, CCPA, GDPR or PCI depends heavily on the facts and is estimated separately with the compliance-cost calculators.
How accurate is this?
It is a transparent planning model, not a prediction. The structure (fixed + variable cost, a size factor and a data-type factor) and every coefficient are documented on the methodology page and dated to their sources. Real costs vary widely — that is why the result is shown as a range and every input is editable.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.