Data Breach Cost Estimator for SMBs
Estimate what a data breach would cost your business. Set your industry, the number of sensitive records you hold, the type of data, your company size and the security controls you already have in place, and get the expected total cost — broken down into the five components a breach actually generates, with a cost per record and a benchmark comparison. Numbers update as you type. Benchmarks as of Jun 25, 2026 — sources; key figures are editable.
Where the cost goes
| Component | Share | Estimated cost | What it covers |
|---|---|---|---|
| Detection & response | 30% | $816,750 | Forensics, investigation, incident-response labor and crisis management to find and contain the breach. |
| Notification | 6% | $163,350 | Identifying affected people and regulators and issuing the required breach notices. |
| Lost business | 34% | $925,650 | Customer churn, reputational damage, downtime and the cost of winning back trust — usually the largest share. |
| Fines & legal | 12% | $326,700 | Legal counsel, settlements and the operational portion of regulatory penalties (statutory exposure is shown separately). |
| Post-breach response | 18% | $490,050 | Credit/identity monitoring, help-desk, remediation and security upgrades after the incident. |
Potential regulatory exposure (shown separately). Statutory penalties under HIPAA, CCPA, GDPR or PCI are not included in the figure above because they depend heavily on the facts. Estimate them with the compliance-cost calculators.
How it works
A breach has two kinds of cost. There is a fixed part — investigation, forensics, crisis management, baseline legal counsel — that you pay almost regardless of how many records were exposed. And there is a variable part — notification, credit monitoring, per-record liability and the customer churn each lost record drives — that scales with the number of records. This estimator adds the two:
Expected cost = ( Fbase(size) + records × veff ) × fsecurity
veff = base variable cost/record (industry) × fdata(data type) × fsize(size)
fsecurity = product of (1 − reduction) over the controls you have, floored at 45%
Cost per record = expected cost ÷ records · Range = expected × {0.6, 1.0, 1.7}
Because the fixed part is divided across the records, the per-record cost falls as the number of records rises — the reason a small business almost always faces a higher cost per record than a large enterprise hit by the same kind of breach. The total is then split into the five components above using the proportions published by IBM, and a security posture you already have in place lowers the whole figure through the mitigation factors IBM measured. Every one of these coefficients is listed, dated and linked to its source on the methodology page.
A worked example
Take the default profile: a Micro (1–50 employees) healthcare business holding 25,000 health data (phi) records, in California, with no controls selected.
- Variable cost per record veff = $60 × 1.35 (PHI) × 1.3 (micro) = $105.30
- Variable total = 25,000 × $105.30 = $2,632,500
- Plus fixed cost Fbase(micro) = $90,000
- Expected cost = $90,000 + $2,632,500 = $2,722,500 (≈ $109 per record)
Select a couple of security controls — say encryption and a tested incident-response plan — and watch the figure fall: that drop is the modeled return on those controls. To turn it into an explicit return on investment, use the security control ROI calculator; to size the notification bill on its own, see the breach notification cost calculator.
Frequently asked questions
How much does a data breach cost a small business?
It depends on the records you hold, the kind of data, your industry and your security posture — which is exactly what this tool models. For the default profile here (a ~50-employee healthcare provider with 25,000 patient records) the estimated expected cost is $2.72M, in a range of $1.63M to $4.63M. Smaller businesses pay a higher cost per record because the fixed costs of responding to a breach are spread over fewer records.
What is the average cost per record of a data breach?
Published industry analysis puts the global average around $164 per record, but it varies sharply by industry — healthcare is the highest. That headline figure is an average across breaches of all sizes; because breach response has a large fixed component, the per-record cost falls as the number of records rises. This estimator models that, so the per-record number it shows for a small breach is higher than for a large one.
Does this include regulatory fines like GDPR or HIPAA?
The headline estimate is the operational cost (detection, notification, lost business, post-breach response and the everyday legal component). Statutory penalty exposure — GDPR, HIPAA, CCPA, PCI — varies enormously with the facts and is shown separately so it cannot silently dominate the number. Use the dedicated compliance-cost calculators for those, and treat them as maximum exposure, not a prediction.
How accurate is this estimate?
It is a transparent planning model, not a prediction of any specific incident. The structure (fixed + variable cost, five cost components, a security-posture multiplier) and every coefficient are published on the methodology page and dated to their primary sources. Real breach costs vary widely — that is why the result is shown as a range, and why every key input is editable.
How current are the benchmarks?
The bundled benchmarks were verified on Jun 25, 2026 against IBM/Ponemon Cost of a Data Breach and Verizon DBIR, each linked on the sources page. They are convenience defaults: the key figures are editable, so the model stays correct even as the benchmarks age.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.