There are a combination of reasons that combine to result in those numbers.

Depending on what nation the company is in, there are regulatory penalties that can be applied if its shown the company didn’t take required precautions to protect the information.

There are potential civil law suits from the people affected by the breach.

There is a loss of business after a breach too. Customers are less likely to do business if they are worried their information is at risk. Other companies become more reluctant becuase they don’t want the association.

All of these factors can result in significant financial loss to companies that experience data breaches.

It very much depends on what data has been breached. If it is confidential, sensitive or similar leading towards fines, and then repairing the flaws which led to the breach in the first place.

Companies have a responsibility to protect the information of their clients. In the case of healthcare facilities, it is mandated by the HIPAA law. This law dictates that your doctor cannot talk about your healthcare with anyone who isn’t involved or needs to know. They can’t even say that you are a patient of the practice. This applies to the hospitals too, not just individual practitioners.

Now imagine if a major hospital system is breached and someone access their records. They now have the names of hundreds of thousands, if not millions, of people who sought care at that hospital, their diagones, their treatment and medications, their address and contact information, etc. This is all information that the hospital had a legal obligation to keep private.

Nobody can prevent 100% of breaches, but if it was found that the hospital’s policies didn’t meet certain standards, they will be slapped with hefty fines and penalties for their negligence.

The size and nature of the breach will determine the costs. If it’s a ransomware attack, that means hackers have encrypted systems and possibly exfiltrated personal information/confidential business information. The hackers will demand a ransom payment in exchange for a decryption key. If the company can get back online from backups and doesn’t need a decryption key, then the hackers threaten to release the private data. Two pronged attack to increase their ability to get ransom money. The ransom payment, if paid, could be in the millions.

If personal information has been taken and/or accessed (either through a ransomware attack or a regular breach), then the company may have notification obligations to those individuals as well as regulators. The company will also have to offer credit monitoring (1 or 2 years depending on the jurisdiction), set up a call center to speak with impacted individuals who want more information.

There are costs for privacy attorneys to assist with the review of data and notification obligations, discussions with regulators, work with computer forensic firms, ransomware negotiators, data miners etc.

There are costs for computer forensics to come in, contain, mitigate, and remediate computer systems, servers, etc. If machines have been bricked, those need to be replaced.

There are costs for data miners if needed to drill down and determine what information has been accessed and/or taken and to identify the population of people that require notice.

Mailing notices costs money. (Think $2/pp where 1 million people need to get notice).

Sometimes the individuals who receive notice will file lawsuits against the company alleging various violations of state and federal privacy protection laws. If this is a class action, then its a large number of people and statutory penalties per person can add up into the millions. Sometimes regulators will open an investigation and will require additional information and/or documents. Sometimes regulators impose fines.

All of these elements present costs that can add up into millions.

Companies that get hacked may handle personal information for their customers (think hospitals or accounting firms). But even if they don’t, all companies house personal information for their own employees.

Think of the Starwood/Marriott breach or the Colonial Pipeline ransomware attack. Those are a couple of good examples of how costs get into the millions (100s of millions for Marriott).

Edit: companies are always responsible for the personal information given to them by customers. Many companies use third party providers or outside vendors (think cloud storage) and will share that data. If a third party provider or vendor gets hacked, it is still the company’s responsibility to handle/pay for the notice etc. (of course there are subrogation options, but that comes later).

Spelling/grammar

Edit 2: also, there are business interruption costs in ransomware situations because many companies can’t operate at full capacity. They can’t manufacture, they can’t deliver products or finish projects, they may be in breach of contract with their customers, they need to bring in temporary staff, they may need to manually do what is normally automated, they are losing money daily until systems are restored.

The better question is why do data breaches only cost millions of dollars? Large companies figure them into the cost of doing business because improving security by hiring competent data security teams and constantly monitoring and updating the site costs more than any penalty they could face.

I worked for a large hotel chain that made billions a year and I am no programmer or data security expert but from a layman’s perspective their online infrastructure was garbage. It took weeks to get responses and months to get a fix for even the smallest of problems. Unsurprisingly while I was there they were hacked and millions of their customers financial and stay data was exposed to a foreign power. Nothing significant changed afterwards and in fact I believe it has happened yet again in the recent past.

Time to investigate and repair breach, lawsuits over damages, fines from government, loss of revenue from upset customers, having to pay for credit monitoring for affected customers

Finally something I can answer, I work in insurance specifically on cyber R&D.

There are many factors that affect the cost of data breaches that all add up. First there are internal costs, forensic costs to identify what system was exploited, fixing the computer systems/software vulnerability that caused the perpetrator to penetrate the system and steal the data. This can also cause something called Business Interruption, where the company can’t do its daily business as computer systems get fixed. Then there are costs that are incurred to notify parties of their data being stolen. Most of these costs are partly covered by insurance though.
Then there are external costs depending on what kind of data got stolen, is it personal identifiable information (SS numbers, birth dates, e-mail addresses etc.) personal credit info (cc numbers, expiration dates, bank account numbers etc.) or personal health info (diseases, health history etc.). I listed the three main categories in order of increasing costs and penalties that can be imposed on the company being breached. On top of that companies have to defend themselves in court in case of lawsuits, so you have lawyer costs, they have to pay fines, etc. all this adds up to a lot in the long run.
One other cost that is added but is not per se tangible is reputation harm costs, as the company might lose customers due to the breach.

1. The people who fix breaches and recover data (system engineers, cybersecurity engineers) expect to be paid. Recoverung from most large breaches requires dozens, if not hundreds of professionals dedicated to the task.

2. Litigation.

Imagine you have a toy. Your friends and family helped pay for the toy, and everyone loves it, but it’s your job to keep it safe at your house.

One day you go to check on the toy and it’s nowhere to be found. In it’s place is a note saying *”Ha ha we took your toy!”*

Mom and dad are **PISSED**. They want answers. The answers they want are:

* Who took the toy?
* How did they get in to get the toy?
* Did they take other toys?

*(Cost of research)*

You have no idea how to track down a toy thief so now you have to hire someone who knows how. *(Cost of hiring someone with expertise)*

During their investigation they find you didn’t keep very good track of the toy. You now have to pay to keep things safe – locks on doors, security system, etc. *(Cost of upgrades, hiring more people with expertise)*

Your friends and family will soon find out the toy is missing. How do you tell them? Do you offer anything to reassure them it won’t happen again? *(Cost of communications/LifeLock)*

When you tell them, people no longer trust you. They do not want you taking care of toys anymore. *(Loss of revenue)*

The people who do still have some trust in you want you to become a Certified Toy Protector (CTP) to ensure this never happens again. *(Cost of audits/certifications)*

​

Others have made great points, and obviously a lot more goes on with it. However that’s how I’d explain it to a 5 year old.

One/more/all of the below:

– Fines from the government or regulatory bodies.
– Loss of business from companies and/or consumers that no longer trust you and stop doing business with you.
– Cost of investigating how it happened.
– Buying new IT infrastructure and hiring employees to prevent it from happening again.
– Running a marketing and PR campaign to try to restore your reputation.