Regional headline
US breach cost: 2.30x the global average.
US breaches now cost $10.22M on average (2025), a record high and up 9% on 2024. Brazil at the other end is $1.36M. The variance reflects regulatory regime, labour costs, litigation culture, and customer-churn expectations, not breach severity. Multinational organizations should weight regional exposure proportionally.
Global average
$4.44M
IBM 2025
US average
$10.22M
Record high, +9%
UK average
$4.21M
-2% YoY
Brazil average
$1.36M
Lowest in dataset
Section 08.1 / Country / region ranking
14 jurisdictions, 2025 figures
Primary source:IBM Cost of a Data Breach Report 2025 (regional sub-aggregates).
Section 08.2 / Multipliers & regulatory notes
What the multiplier represents
Multiplier values are computed from IBM 2025 country averages versus the global $4.44M baseline. They incorporate regulatory regime, labour costs for IR & legal, currency, and litigation culture. They do not reflect attack severity or company size.
| Country / region | Avg cost | Multiplier | YoY | Regulation | Notes |
|---|---|---|---|---|---|
| United States | $10.22M | x2.30 | +9% | State-by-state | Highest globally. State-by-state regulation, US-class-action culture, and high IR labor costs combine to push US breach costs to record levels in 2025. |
| Middle East | $7.29M | x1.64 | +8% | Varies | Growing fast. UAE Personal Data Protection Law (2022) and Saudi PDPL (2024) have introduced GDPR-style notification, plus oil & gas critical infrastructure carries large business-interruption costs. |
| Canada | $5.13M | x1.16 | +3% | PIPEDA | |
| Germany | $4.85M | x1.09 | +2% | GDPR / BDSG | Strong national supervisory authority (BfDI plus state authorities). High labour costs for forensic and legal response. Industrial-IP breach costs particularly high. |
| Japan | $4.53M | x1.02 | +1% | APPI | |
| United Kingdom | $4.21M | x0.95 | -2% | UK GDPR / DPA | Post-Brexit UK GDPR mirrors EU GDPR but with ICO enforcement. Notification clock 72 hours. Costs declined 2% in 2025. |
| France | $4.08M | x0.92 | +4% | GDPR / CNIL | CNIL regulator, well-resourced. GDPR fines for major incidents have risen sharply, e.g. Meta EUR 1.2B (2023), Amazon EUR 32M, etc. |
| Italy | $3.86M | x0.87 | +1% | GDPR / Garante | |
| South Korea | $3.62M | x0.82 | +5% | PIPA | |
| Australia | $3.41M | x0.77 | -1% | NDB / Privacy Act | |
| South Africa | $2.87M | x0.65 | +7% | POPIA | |
| ASEAN | $2.71M | x0.61 | +3% | Varies | |
| India | $2.35M | x0.53 | +6% | DPDP Act | DPDP Act 2023 introduced GDPR-style notification with up to 250 Crore INR fines, but breach-cost levels remain low because of lower labour costs. |
| Brazil | $1.36M | x0.31 | -4% | LGPD | Lowest in the IBM dataset. LGPD enforcement is active but litigation culture and labour costs remain low compared to the US. |
Section 08.3 / GDPR impact on European breach costs
The 72-hour clock and the 4% revenue ceiling
GDPR's notification regime and supervisory-authority enforcement reshape European breach economics. Fine ceilings of 4% of global annual revenue or EUR 20M create asymmetric risk for global organizations. Enforcement pace has accelerated, the EUR 1.2B Meta fine (2023) and the multiple regulator-coordinated investigations of US tech firms make material exposure realistic for any organization processing EU personal data at scale.
Notification clock
72 hours
From awareness of a personal-data breach. Notify the lead supervisory authority. Failing the clock alone can trigger a separate fine.
Maximum fine
4% revenue
4% of global annual revenue or EUR 20M, whichever is higher. The Meta EUR 1.2B (2023) and Amazon EUR 746M (2021) figures sit within this ceiling.
Cross-border
One-stop shop
Cross-border incidents are coordinated through the lead authority but consultation with all affected authorities adds weeks to the resolution timeline.
Section 08.4 / US state notification map
Why US costs are so high
The US has no federal breach-notification law. All 50 states + DC have their own statute, with notification deadlines from 30 days (Florida, Washington, California from Jan 2026) to 'as soon as practicable' (Massachusetts). Multi-state breaches require simultaneous compliance with up to 50+ different statutes. This regulatory fragmentation drives the US to the top of the IBM cost ranking and shows no sign of changing.
Notable state regimes: California SB 446 (effective Jan 2026) requires notification within 30 days, the strictest in the US. New York SHIELD Act expanded the definition of personal information in 2019 and added security obligations. Texas expanded notification scope in 2025. Most states require AG notification on breaches affecting 500+ residents. See Schedule 09 for the full state-by-state register.
Index / Companion schedules
01 Calculator
→Apply regional multipliers to your specific exposure.
09 Notification laws
→GDPR 72-hour, all 50 US states + DC, in detail.
03 By industry
→Same industry costs differently across regions.
02 Statistics
→Global IBM 2025 figures and methodology.
10 Cost breakdown
→Where the regional difference comes from.
04 Biggest breaches
→Geographic distribution of mega-breaches.
Schedule F / Reference Q&A