Records-at-Risk Exposure Calculator
Translate the volume of sensitive records you hold into a maximum financial exposure — the worst-case figure in which every record is compromised. Enter the number of records and your industry's cost per record (loaded for you, and editable). This is a deliberate upper bound, not an expected loss: for a realistic figure that accounts for partial exposure, fixed costs, size and controls, use the data breach cost estimator. Numbers update as you type. Benchmarks as of Jun 25, 2026 — sources; both figures are editable.
| Step | Value |
|---|---|
| Sensitive records held | 25,000 |
| × Cost per record | $408 |
| = Maximum exposure | $10,200,000 |
Maximum exposure = records × cost per record
Default: 25,000 × $408 = $10,200,000
Worst case only — every record compromised. The estimator gives the expected, not the worst-case, figure.
How it works
Records-at-risk exposure answers a blunt but important question: if everything went wrong at once, how much is the data you are holding worth in breach terms? The calculation is intentionally simple — the number of sensitive records multiplied by a per-record cost — but its purpose is different from the other calculators on this site. It is not trying to predict what a breach will cost you. It is trying to size the ceiling: the maximum financial damage your record-holding could ever translate into. That ceiling is a planning figure, the cyber equivalent of a total insured value, and it is most useful precisely because it is unambiguous about being a worst case.
The first input is the number of sensitive records you hold. This should be every record whose exposure would trigger cost — customer or patient records, payment details, account credentials, employee data — not your total row count across every harmless table. The second input is the cost per record, loaded from your industry's published average but fully editable. That per-record figure already bundles together everything a single exposed record tends to generate: notifying the person, offering monitoring, the legal and regulatory share attributable to their data, and the lost-business slice their churn represents. Multiplying the two gives the maximum exposure: what it would cost if every record you hold were compromised in a single incident.
The word maximum is doing real work here, and it is the most important thing to understand about the result. Real breaches almost never expose an organization's entire dataset. Attackers reach one system, one database, one mailbox; partial exposure is the norm and total exposure is the rare exception. Treating the worst case as if it were the expected case would badly overstate your likely loss and lead to over-spending. This calculator therefore presents the number honestly as an upper bound, and points you to the data breach cost estimator for the expected figure. The estimator is structurally different: it adds a fixed cost that you pay regardless of record count, a company-size factor, and credit for the security controls you have in place, and it does not assume the whole dataset is lost. Where this tool says "the most you could lose," the estimator says "what a typical incident would cost."
So why compute a worst case at all? Because the ceiling is exactly the figure that justifies data minimization. In a fixed-cost model, holding a few extra thousand records barely moves the number; in this linear, worst-case model, every record you retain raises the ceiling by its full per-record cost. That makes the business case for deleting data you no longer need, shortening retention periods, and tokenizing or not collecting sensitive fields immediately visible: cut the record count and the maximum exposure falls in direct proportion. The worst-case figure is also the right one to frame the stakes for a board or to set a notional upper limit when sizing cyber-insurance cover — it tells leadership how much value is concentrated in the data, even though no one expects to lose all of it.
Finally, exposure is only the magnitude half of risk. It says nothing about how likely a breach is. To complete the picture, pair this figure with the breach probability calculator for your sector's annual base rate, and feed both into the annual loss expectancy calculator to get an annual expected loss. Reducing exposure (holding fewer records) and reducing probability (stronger controls) are two distinct levers, and seeing them side by side makes it clear which one your situation calls for.
A worked example
Take a healthcare provider holding 25,000 patient records. Health data carries the highest published cost per record, so the dropdown loads $408 for the healthcare sector.
- Records at risk = 25,000
- Cost per record = $408 (healthcare average)
- Maximum exposure = 25,000 × $408 = $10,200,000
That $10,200,000 is the worst case: the figure if every one of those 25,000 records were compromised at once. It is the number to put in front of leadership when arguing for data minimization — halve the records you retain and the ceiling halves to $5,100,000. But it is not what a typical incident would cost. Run the same profile through the data breach cost estimator and you get an expected figure that is far lower, because it accounts for partial exposure, a fixed cost floor, the company-size factor and any security controls in place. Use this exposure number to size the prize and motivate data reduction; use the estimator to plan for the loss you are actually likely to face; and to understand why the per-record cost itself behaves the way it does, see the cost-per-record calculator.
Frequently asked questions
What is records-at-risk exposure?
It is the maximum financial exposure of the sensitive records you hold — the worst-case figure that assumes every record is compromised. It is simply the number of records multiplied by your industry's cost per record. For the default profile (25,000 health records at $408 each) the upper-bound exposure is $10,200,000. Most real breaches expose only a fraction of your records, so this is a ceiling, not an expected loss.
Is this the cost I should expect to pay?
No — it is a deliberate upper bound. It assumes the worst case in which every single record you hold is compromised at once, which is rare. For a realistic expected figure that accounts for partial exposure, fixed costs, your company size and your security controls, use the data breach cost estimator. Think of records-at-risk exposure as the size of the prize an attacker is after, and the estimator as what a typical incident would actually cost.
Why use a worst-case number at all?
Because it sizes the problem. The maximum exposure tells you how much value is concentrated in the data you are holding, which is exactly the figure that justifies a data-minimization program (holding fewer records lowers the ceiling directly) and frames the stakes for a board. It is the cyber-risk equivalent of a total insured value: not what you expect to lose, but the most you could lose if the whole dataset went.
Where does the cost-per-record figure come from?
The dropdown loads the published average cost per record for your industry, from IBM/Ponemon analysis, ranging from about $160 in the public sector to $408 in healthcare. The field is editable, so you can substitute your insurer's figure or a number from your own prior incident. See the full cost-per-record by industry table.
How do I lower this exposure?
The most direct lever is the record count: the fewer sensitive records you retain, the lower the ceiling, which is why data-minimization and timely deletion pay off here in a way they do not in a fixed-cost model. Reducing the likelihood of a breach does not change the maximum exposure but does change the expected loss — model that with the annual loss expectancy calculator and the breach probability calculator.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.