Data Breach Insurance in the United States

US data breaches cost an average of $5.09 million β€” the highest in the world. State notification laws, HIPAA requirements, and SEC disclosure rules create complex compliance obligations. Learn what your insurance must cover.

Last updated: April 2026

US data breach costs: By the numbers

The United States has the highest average data breach cost globally at $5.09 million (IBM 2024). This reflects the combination of strict state notification laws, high forensic investigation costs, expensive credit monitoring services, legal complexity, and regulatory fines across multiple jurisdictions.

  • Average cost per breached record: $165 USD (highest globally)
  • Average total breach cost: $5.09M USD
  • Healthcare sector average: $10.93M USD (HIPAA fines, sensitive patient data)
  • Financial services average: $6.08M USD (regulatory exposure, SEC disclosure)
  • Public sector average: $4.76M USD (citizen data, state laws)
  • Small breach (1,000 records): Approximately $165,000 USD to remediate
  • Time to identify breach: 194 days average (third-party discovery: +30% cost)

US state-by-state notification requirements

All 50 US states have data breach notification laws, but requirements vary significantly. Every state requires notification without undue delay, typically within 30-60 days. Key variations include:

  • Notification timeline: Most states require notification "without unreasonable delay" or within 30-45 days. California and New York specify 72 hours to authorities for regulated entities.
  • Breach definition threshold: Some states only require notification if a breach is "likely to cause harm" (vague). Others require notification for any breach of personal data.
  • Individual vs. authority notification: All states require individual notification. Many also require notice to state attorneys general and credit bureaus.
  • Costs: Notification costs include certified mailings, email campaigns, credit monitoring services (2-3 years, $100-200 per person), call centre support, and media monitoring.
  • Enforcement: State attorneys general can bring enforcement actions for non-compliance. Civil liability varies by state; some states have private rights of action allowing customers to sue directly.

Complying with all 50 state laws simultaneously is a legal and logistical challenge. A data breach affecting customers across multiple states requires notification coordination, multiple legal reviews, and significant cost. Your insurance must account for this complexity.

HIPAA and healthcare breaches

Healthcare organisations and their business associates face specific HIPAA Breach Notification Rule requirements:

  • Breach definition: A breach of unsecured Protected Health Information (PHI) is "acquisition, access, use, or disclosure" without authorization.
  • Notification requirement: Notify affected individuals without unreasonable delay and without undue delay, but no later than 60 calendar days after discovery.
  • Authority notification: Notify the US Department of Health and Human Services (HHS). Breaches affecting 500+ individuals require media notification and reporting to HHS publicly.
  • HIPAA penalties: Violations can result in fines from $100 to $50,000 per violation (up to $1.5M per violation category per year). Healthcare breaches trigger the highest penalties.
  • Cost multiplier: HIPAA breach costs average $10.93M β€” 2.1Γ— the all-sector average.
Critical: HIPAA-covered entities must ensure their cyber insurance explicitly covers HIPAA breach notification costs, forensic investigation, regulatory defence, and penalties. Standard data breach policies may exclude healthcare-specific liabilities.

SEC cybersecurity disclosure rules

Public companies must disclose material cybersecurity incidents to the Securities and Exchange Commission. As of 2024, enhanced rules require:

  • Timing: Disclose material cybersecurity incidents within 4 business days or explain the delay in the next quarterly filing.
  • What to disclose: Details about the incident, remediation efforts, impact on operations, financial impact, and mitigation measures.
  • Penalty exposure: SEC enforcement for inadequate disclosure has resulted in settlements exceeding $100M. Individual executives have been held liable.
  • Incident response costs: Public companies typically incur 20-40% higher breach investigation and legal costs due to disclosure requirements and shareholder litigation risk.

State-specific regulations increasing premium costs

Certain states have enacted cybersecurity regulations that increase insurance costs:

State/Rule Requirement Impact on Insurance
California (CCPA/CPRA) Strict data collection, consumer rights, breach notification, privacy impact assessments +20-40% premium for California-based businesses
New York (NYDFS 23 NYCRR 500) Cybersecurity requirements for financial services: MFA, encryption, incident reporting +15-30% premium for NY financial services
Massachusetts (201 CMR 17.00) Security control requirements for personal information +10-20% premium for MA businesses handling personal data
Illinois (BIPA) Biometric data protection strict liability (private right of action) +25-50% premium for biometric data processors

PCI DSS compliance and payment card breaches

Organisations accepting payment cards must comply with the Payment Card Industry Data Security Standard (PCI DSS). Non-compliance fines range from $5,000 to $100,000 per month. A data breach involving payment card data can trigger:

  • PCI fines and assessments (acquiring bank penalties)
  • Card reissuance costs for breached cardholders
  • Forensic investigation specific to PCI requirements
  • Breach notification costs (payment card networks required notification)
  • Merchant acquiring bank suspension or termination

Ensure your cyber insurance includes PCI DSS coverage and that PCI fines and assessments are covered under the policy.

What comprehensive US data breach insurance covers

A robust US data breach policy should include:

  • Breach notification costs: Legal review, mailings, email notification, call centre support across all 50 states
  • Credit monitoring and identity protection: Multi-year coverage for affected individuals (3-year standard)
  • Forensic investigation: Determining scope and cause of breach (critical for regulatory compliance)
  • Legal counsel and breach coach: Regulatory specialists, employment law, class action defence
  • HIPAA and state regulatory defence: Defence costs outside the limit, where possible
  • Regulatory fines: HIPAA fines, state AGs penalties, PCI fines (verify insurability in your state)
  • Class action defence and settlements: Private litigation costs and settlements
  • PR and crisis communications: Reputation management and public statements
  • Business interruption: Lost revenue during incident response and system remediation
  • Regulatory reporting costs: SEC filing support, shareholder communications

Real-world US breach cost scenario

A mid-market healthcare provider with 500,000 patient records discovers a breach. Estimated costs:

  • Forensic investigation: $150,000
  • Breach notification (mailing + call centre): $120,000
  • Credit monitoring (3 years): $250,000
  • Legal counsel and HIPAA defence: $200,000
  • HIPAA regulatory fines (estimated): $500,000
  • Class action settlement: $750,000
  • PR and reputation management: $100,000
  • Business interruption: $400,000

Total estimated exposure: $2.37M USD (likely higher with regulatory complexity). A $2M policy with outside-limit defence costs would provide crucial protection.

Protect your business from US data breach costs

Get matched with a broker who specialises in US compliance requirements and can ensure your coverage accounts for state laws, HIPAA, SEC, and PCI obligations.

Get a Quote View US Pricing Guide

Related Reading