What is the GDPR fine for a phishing breach?

GDPR Article 83(5) caps administrative fines at the higher of EUR 20 million or 4% of annual global turnover. Phishing-driven breaches typically draw fines of 0.5% to 2% of revenue depending on the deficiency in technical and organisational measures.

How much are HIPAA phishing fines?

HIPAA tiers run $100 to $50,000 per violation with a $1.5M annual cap per violation type (HHS OCR enforcement schedule). Anthem's $16M OCR settlement (2018) remains the largest. Recent settlements often range $100K to $5M.

What does the SEC cyber-incident disclosure rule require?

Public companies must disclose material cybersecurity incidents on Form 8-K within 4 business days of materiality determination (Final Rule, December 2023). Penalties for non-compliance combine SEC enforcement and shareholder litigation exposure.

What does breach notification cost per record?

$164 per record on average across the cross-industry IBM 2025 dataset. The figure rises in healthcare and financial services. Multi-state breaches must comply with the highest-bar state requirement for the entire affected population.

Filing 08.00.00Field 27 APR 2026Classification PublicStatus Open

Regulatory Fines & Notification Cost

The regulatory layer is the most variable line in the modelling worksheet. Caps are knowable. Actual fines depend on the supervisory authority's read of your control posture at the moment of compromise.

Exhibit A

Regulatory framework summary

LEGAL ANNEX

Code	Framework	Maximum exposure	Timing
R-01	GDPR (EU)	Higher of EUR 20M or 4% of annual global turnover	Notify supervisory authority within 72 hours of awareness
R-02	HIPAA (US healthcare)	$100 to $50,000 per violation, $1.5M annual cap per violation type	Notify HHS, affected individuals, and prominent media (>500 records) within 60 days
R-03	SEC Cyber Disclosure Rule (US public companies)	Enforcement plus shareholder litigation exposure	8-K within 4 business days of materiality determination
R-04	State breach notification laws (US)	Avg $164 per record (IBM 2025) in notification cost; AG fines on top	Varies; typically without unreasonable delay (30 to 90 days)
R-05	NYDFS Cybersecurity Regulation (23 NYCRR 500)	Per-violation fines, plus consent-order remediation cost	72-hour notification to NYDFS
R-06	PCI-DSS (payment cards, contractual)	Card-network fines $5,000 to $100,000 per month plus per-card forensic cost	Forensic investigator engagement within 24 hours of card-network notice
R-07	FTC Section 5 (US, unfair or deceptive practices)	Consent-order remediation, follow-on civil penalties	Investigation-driven
R-08	GLBA Safeguards Rule (US financial institutions)	Civil penalties + supervisory action	30-day notification rule (effective May 2024)

Frameworks listed cover the most-cited US and EU exposures. Industry-specific layers (FERPA, FISMA, CMMC, FFIEC) apply on top.[EUR-Lex, HHS OCR, SEC, state AG offices, FTC]

R-01

GDPR (EU)

GLOBAL CAP

Maximum exposure

Higher of EUR 20M or 4% of annual global turnover

Notification timing

Notify supervisory authority within 72 hours of awareness

Phishing-driven breaches generally draw fines in the 0.5% to 2% of revenue range, scaled to the deficiency in technical and organisational measures (TOMs). British Airways was fined GBP 20M (2020) for a card-skim attack with phishing-related access elements.

R-02

HIPAA (US healthcare)

Maximum exposure

$100 to $50,000 per violation, $1.5M annual cap per violation type

Notification timing

Notify HHS, affected individuals, and prominent media (>500 records) within 60 days

OCR enforcement covers Privacy and Security Rule failures. Anthem $16M (2018) is the largest HIPAA settlement to date. Pharma and provider settlements regularly land $100K to $5M.

R-03

SEC Cyber Disclosure Rule (US public companies)

4-DAY CLOCK

Maximum exposure

Enforcement plus shareholder litigation exposure

Notification timing

8-K within 4 business days of materiality determination

Final Rule effective December 2023. Forces an early-public-disclosure decision in the middle of an active incident, complicating IR communications strategy.

R-04

State breach notification laws (US)

Maximum exposure

Avg $164 per record (IBM 2025) in notification cost; AG fines on top

Notification timing

Varies; typically without unreasonable delay (30 to 90 days)

All 50 states have laws. California, Massachusetts, and New York are the strictest. Multi-state breaches must comply with the highest-bar requirement for the entire population.

R-05

NYDFS Cybersecurity Regulation (23 NYCRR 500)

Maximum exposure

Per-violation fines, plus consent-order remediation cost

Notification timing

72-hour notification to NYDFS

Covers banking, insurance, and financial-services entities licensed by NYDFS. First Federal $1.5M (2022) and EyeMed $4.5M (2022) are reference-class settlements.

R-06

PCI-DSS (payment cards, contractual)

Maximum exposure

Card-network fines $5,000 to $100,000 per month plus per-card forensic cost

Notification timing

Forensic investigator engagement within 24 hours of card-network notice

Not a regulation, but contractual. The Target breach generated approximately $67M in card-network settlement (2015). Phishing-derived POS compromise is a recurring PCI failure mode.

R-07

FTC Section 5 (US, unfair or deceptive practices)

Maximum exposure

Consent-order remediation, follow-on civil penalties

Notification timing

Investigation-driven

FTC routinely opens investigations on phishing breaches that affect consumers. Consent orders mandate 20-year third-party audit programmes. The Twitter consent order is the leading reference case.

R-08

GLBA Safeguards Rule (US financial institutions)

Maximum exposure

Civil penalties + supervisory action

Notification timing

30-day notification rule (effective May 2024)

FTC's revised Safeguards Rule now requires Section 314.4 written information security programme, qualified individual designation, and breach notification within 30 days for incidents affecting 500+ consumers.

Exhibit C

Notification cost mechanics

OPS COST

Per-record notification cost

$164

Cross-industry mean (IBM 2025)

Notification is itself an operational cost line, separate from any fine. It includes letter production and postage, identity-monitoring service for affected individuals (typically 12 months free service), call-centre capacity for the inevitable inbound, and translation where a multinational population is in scope. The largest cost driver is identity-monitoring; it averages $25 to $40 per individual per year.

Multi-state breaches must comply with the highest-bar state requirement for the entire affected population. There is no practical way to slice the population by jurisdiction once notification is required. Plan to apply California or Massachusetts standards across the full set.

Exhibit D

Regulatory Fines & Notification Cost

Regulatory framework summary

GDPR (EU)

HIPAA (US healthcare)

SEC Cyber Disclosure Rule (US public companies)

State breach notification laws (US)

NYDFS Cybersecurity Regulation (23 NYCRR 500)

PCI-DSS (payment cards, contractual)

FTC Section 5 (US, unfair or deceptive practices)

GLBA Safeguards Rule (US financial institutions)

Notification cost mechanics

Cross references