Breach Notification Cost Calculator
Estimate the operational cost of notifying affected individuals after a data breach: a per-record notice cost, plus credit/identity monitoring for the share who enroll, plus a fixed legal/forensic baseline. Defaults come from representative industry figures; every unit cost is editable. A reference table of US state notification laws (deadline and Attorney General threshold) is included below. This is the cost of doing the notification — not a regulatory fine, and not legal advice. Figures as of Jun 25, 2026 — sources.
Cost breakdown
| Component | Calculation | Estimated cost |
|---|---|---|
| Notices | 25,000 × $1.50 | $37,500 |
| Credit/identity monitoring | 2,500 enrolled × $30.00 | $75,000 |
| Fixed legal / forensic | flat | $25,000 |
| Total | $137,500 |
Total = records × ( notice per record + monitoring per year × take-up rate ) + fixed legal
Enrolled in monitoring = records × take-up rate · Cost per record = total ÷ records
How it works
Once a breach is confirmed, one of the first hard costs is telling the people whose data was exposed — and, in the US, telling the regulators. That obligation is set by state breach-notification laws: every state, plus several territories, requires a business to notify affected residents, usually within a deadline, and to notify the state Attorney General once the number of affected residents crosses a threshold. The cost of carrying out that notification is what this calculator models. It is an operational cost — the price of doing the notification properly — and is entirely separate from any regulatory fine for the breach itself.
The model has three parts. The first is the per-record notice cost: identifying exactly who was affected, finding current contact details, drafting compliant notice letters and printing and mailing them. A representative figure is around $1.50 per person, and it scales directly with the number of records. The second is credit or identity monitoring. It is now standard — and in some circumstances required — to offer affected individuals a year of monitoring, at roughly $30.00 per enrolled person. The key word is enrolled: you offer it to everyone but only pay for those who sign up, and real enrollment is typically low, often around 10%. Applying that take-up rate is what keeps this line realistic rather than wildly overstated. The third part is a fixed legal and forensic baseline — the counsel, project management and forensic support needed to run the notification correctly — that you pay largely regardless of headcount, here defaulting to $25,000.
Putting the three together gives the formula: total equals the number of records times the sum of the per-record notice cost and the monitoring cost weighted by the take-up rate, plus the fixed legal baseline. Because the fixed baseline is spread across all the records, the per-record cost falls as the breach grows — the same diseconomy of small breaches that runs through the rest of this site. Every unit cost is an editable input, so you can swap in your own vendor quotes, change the monitoring term, or set the take-up rate to 100% if you are committed to paying per offer rather than per enrollment.
Which state laws actually apply is driven by where the affected individuals live, not where your business is headquartered, so a single breach of a national customer base can trigger dozens of state regimes at once — each with its own deadline and its own AG-notice threshold. The reference table below summarizes representative rules for a selection of states. It is a starting point for scoping the obligation, not a substitute for checking the current statute. This calculator is informational and is not legal advice; for the obligations that bind you, consult qualified counsel and the text of each applicable law. For a deeper walk-through, see the guide to US breach-notification laws and cost.
US state breach-notification laws (reference)
Representative selection — not exhaustive. "AG-notice threshold" is the number of affected residents above which the state Attorney General must also be notified. Always confirm the current statute; see the full guide.
| State | Notification deadline | AG-notice threshold (residents) | Statute |
|---|---|---|---|
| California | Without unreasonable delay | 500 | Cal. Civ. Code §1798.82 |
| New York | Without unreasonable delay | 500 | NY GBL §899-aa (SHIELD Act) |
| Texas | 60 days | 250 | Tex. Bus. & Com. Code §521.053 |
| Florida | 30 days | 500 | Fla. Stat. §501.171 |
| Illinois | Without unreasonable delay | 500 | 815 ILCS 530 |
| Colorado | 30 days | 500 | Colo. Rev. Stat. §6-1-716 |
| Washington | 30 days | 500 | RCW 19.255 |
| Massachusetts | As soon as practicable | 1 | Mass. Gen. Laws ch. 93H |
| Virginia | Without unreasonable delay | 1,000 | Va. Code §18.2-186.6 |
| Ohio | 45 days | 1,000 | Ohio Rev. Code §1349.19 |
| Georgia | Without unreasonable delay | 10,000 | Ga. Code §10-1-912 |
| Pennsylvania | Without unreasonable delay | 500 | 73 Pa. Stat. §2303 |
A worked example
Take a breach affecting 25,000 individuals, with the default unit costs: $1.50 per notice, $30.00/year monitoring at a 10% take-up, and a $25,000 fixed legal baseline.
- Notices = 25,000 × $1.50 = $37,500
- Enrolled in monitoring = 25,000 × 10% = 2,500 people
- Monitoring = 2,500 × $30.00 = $75,000
- Plus fixed legal/forensic = $25,000
- Total = $37,500 + $75,000 + $25,000 = $137,500 (≈ $5.50 per record)
Raise the monitoring take-up rate and watch the total climb — that single assumption swings the figure more than any other, which is why it is exposed as an editable input rather than buried in the math. Change the record count or any unit cost above and the breakdown updates instantly. To estimate the statutory-damages exposure that can accompany a California breach, use the CCPA/CPRA exposure calculator; for the full operational cost of the incident, the data breach cost estimator.
Frequently asked questions
What goes into the cost of notifying a breach?
Three things. A per-record notice cost (default $2) for identifying affected people and producing and mailing each legally required notice. A credit/identity monitoring offer — usually one year, default $30 per enrolled person — billed only for the share who actually enroll (a typical take-up of 10%). And a fixed legal/forensic baseline (default $25,000) for managing the notification process. Every figure is editable.
Why is monitoring multiplied by a take-up rate?
You typically offer credit or identity monitoring to everyone notified, but you only pay for those who enroll. Real enrollment is usually low — often around 10% — so applying a take-up rate avoids massively overstating this line. If you are contractually committed to pay per offer rather than per enrollment, set the take-up rate to 100%.
Is notification legally required?
In the US, yes — all 50 states plus several territories have breach-notification statutes, each with its own deadline and its own threshold for additionally notifying the state Attorney General. The reference table below lists representative state rules. Which laws apply depends on where the affected residents live, not where your business sits, so a single breach can trigger many states at once. This is informational, not legal advice.
How fast do I have to notify?
It varies by state. Many require notice "without unreasonable delay"; others impose hard clocks — 30, 45 or 60 days from discovery. Several also require notifying the Attorney General once the number of affected residents crosses a threshold (often 500 or 1,000). The table below summarizes representative deadlines and AG-notice thresholds; always confirm the current text of every applicable statute.
Does this include regulatory fines?
No. This is the operational cost of carrying out the notification, not any penalty for the breach itself. Statutory penalty exposure — under GDPR, HIPAA, CCPA or PCI — is estimated by the dedicated compliance-cost calculators, and treated as maximum exposure, not a prediction.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.