What a phishing breach costs in fines and notification, at a glance
Regulatory exposure from a phishing breach is two separate lines, not one. Statutory fines are capped but discretionary: GDPR reaches the higher of EUR 20 million or 4% of global turnover (phishing breaches typically draw 0.5% to 2%), HIPAA runs $100 to $50,000 per violation up to a $1.5 million annual cap per violation type, and NYDFS consent orders have landed at $4.5 million (EyeMed, 2022) and $1 million (First American Title, 2023). Notification is a separate operational cost regardless of any fine: customer PII averages $160 per compromised record in the IBM 2025 dataset. The SEC adds a timing constraint rather than a dollar cap, requiring an 8-K within four business days of a materiality determination.
Full framework-by-framework caps, timing, and reference settlements below.[EUR-Lex Art 83(5), HHS OCR, SEC Final Rule 2023, NYDFS, IBM Cost of a Data Breach 2025]