How much will your small business data breach REALLY cost?

DISCLAIMER: If you suspect your small business has suffered a potential data breach, please contact Ariento immediately for a free, no obligation consultation. Time is of the essence. 

There are a lot of statistics published about the cost of a data breach. IBM & the Ponemon Institute , for example, say that it costs $7.01 million on average for a data breach in the United States. Give that statistic to a small business owner like your accountant or attorney and they laugh and tell you you need to have $7 million in the first place before you can lose it. Bottom line, very few published statistics are relevant to small businesses. For this reason, we have developed a data breach cost calculator for small businesses, which we believe paints a more realistic picture for small business owners. We base the calculation on our real world experience with data breach incident response. Try out the tool if you want, but first continue reading to learn about the nine costs of a data breach in the state of California.

Cost 1: Digital Forensics

Any time a potential breach occurs, you have to determine 1. if it was an actual breach (i.e. data actually pulled off your systems) and 2. if so, what was the scope of the breach (i.e. was it just music files or was it sensitive information such as PII). This requires a digital forensic examination of your systems, which is a very time consuming, detail laden task requiring a specific skillset. In other words, this is expensive, accounting for 14% of breach costs according to 2015 Ponemon Study. Average hourly rates for competent digital forensic experts usually range from $400 to $600.

Cost 2: Cybersecurity Firm

One breach is usually enough for a small business owner to conclude that they never want to go through the experience again. To prevent future breaches, most companies bring in a cybersecurity expert either on a consulting or subscription basis to secure their systems and ensure the same thing doesn't happen again. This typically costs between $4,400 - $19,400. If you're interested in a more specific number, you can use the Ariento quote tool to find out exactly how much Ariento would cost for your business.

Cost 3: Credit Monitoring

In the state of California, a company must offer one year of credit monitoring services to all customers affected by the data breach. This costs between $120 - $250 per customer annually at Experian or TransUnion.

Cost 4: PR / Communications Firm

This is an optional cost, but often one preferred by business owners as they do not want to deal with all of the incoming calls from customers asking about how to set up credit monitoring and what information was breached. For that reason, there are companies that will set up a toll free phone number unique to your company, but answered by their call center employees. You can put that number in your breach notification letter to customers, ensuring that all public communication and inbound calls are handled by the PR/Communications firm.

Cost 5: Legal Counsel

In a possible breach situation, you will always want to consult with legal counsel to 1. determine is the incident was a breach in the first place, 2. understand required reporting requirements and 3. ensure you are protecting yourself from future lawsuits in your handling of the breach. In the state of California, a business suffering a breach with more than 500 records affected must also notify the California Attorney General and post their breach notification on the state's website.

Cost 6: Lost Productivity

Very simply, data breaches are stressful and take up a great deal of time for business owners and their employees. Imagine having to notify customers that their information was stolen from your business. The task alone is time consuming, and the stress resulting from it differs by person. Bottom line, managing the data breach process takes away from a business owners already impossibly busy schedule.

Cost 7: Lost Revenue (Departed Customers)

Certain customers will choose to leave after a data breach. No additional explanation needed. 

Cost 8: Lost Revenue (Prospective Customers)

Certain customers that would have chosen to do business with the breached company, will instead decide to go to a competitor who hasn't suffered a data breach.

Cost 9: Reputation

Perhaps the biggest cost there is, and one that can not be quantified. Reputation and relationships are everything for small businesses, and regardless of how strong a businesses reputation is, a data breach will damage it. Whether it be from Yelp reviews, word of mouth, or the notification of breach being posted on the Attorney General's website, people find out when a small business suffers a data breach.


Data breaches are expensive and often represent an "out of business" type risk for small businesses. Don't wait until a breach occurs to think about the nine costs of a data breach. Do it now. Simple measures will prevent breaches from occurring in the first place and drastically reduce the cost of a breach if one were to occur.