Sources

Every coefficient on this site is traced to a primary source — a published benchmark report or the statute itself. The methodology page maps each coefficient to the entry below and states whether it is a measured benchmark or a documented modeling choice. Benchmark figures were last verified on Jun 25, 2026.

Breach-cost benchmarks

• IBM Cost of a Data Breach Report 2025 — average breach cost, cost per record by industry, cost-component split, security cost-mitigation factors, and the detection-time (dwell-time) cost delta. ibm.com/reports/data-breach →
• Ponemon Institute — the research partner behind the IBM Cost of a Data Breach study; per-record and per-component cost methodology. Published via the IBM report above.
• Verizon Data Breach Investigations Report (DBIR) — incidence and breach-frequency data by industry, used to derive annual breach probability. verizon.com — DBIR →

Regulatory & statutory

• GDPR Article 83 — administrative-fine tiers (up to €10M / 2% and €20M / 4% of worldwide annual turnover, whichever is higher). gdpr-info.eu — Art. 83 →
• HIPAA — HHS Office for Civil Rights / 45 CFR §160.404 — civil money penalty tiers and annual caps (inflation-adjusted). hhs.gov — HIPAA enforcement →
• California Consumer Privacy Act — Cal. Civ. Code §1798.150 — private right of action and statutory damages of $100–$750 per consumer per incident. leginfo.legislature.ca.gov — §1798.150 →
• California breach-notification — Cal. Civ. Code §1798.82 — the model state notification statute (timing and attorney-general thresholds). leginfo.legislature.ca.gov — §1798.82 →
• PCI Security Standards Council — PCI DSS; non-compliance fines and forced card reissuance are set contractually by card brands and acquirers (ranges widely reported, not statutory). pcisecuritystandards.org →
• NCSL — Security Breach Notification Laws — summary of the 50-state notification patchwork (deadlines, AG thresholds). ncsl.org — breach-notification laws →

Risk frameworks

• NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments — the quantitative-risk model behind ALE = ARO × SLE and SLE = asset value × exposure factor. csrc.nist.gov — SP 800-30 →

How to read these

Benchmark numbers (IBM/Ponemon, DBIR) are representative and SMB-appropriate, not enterprise headline averages, and are convenience defaults you can override in every tool. Statutory and contractual figures are reproduced from the primary text; for any obligation that affects you, verify the current figure with the cited source and consult qualified counsel — see the terms & disclaimer.

Spotted a stale figure or a better primary source? Let me know — corrections are credited.