What are the GDPR fines for a phishing breach?

GDPR fines for phishing-related data breaches can reach up to EUR 20 million or 4% of annual global turnover, whichever is higher. Typical fines for security-related violations range from EUR 50,000 to EUR 10 million. Organisations must notify the supervisory authority within 72 hours of discovering a breach. British Airways was fined GBP 20 million and Marriott GBP 18.4 million for data breaches.

What are the HIPAA penalties for a phishing breach in healthcare?

HIPAA violations range from $100 to $50,000 per violation, with a maximum of $1.5 million per violation category per year. Breaches affecting 500+ individuals must be reported to HHS within 60 days. Notable settlements include Anthem ($16M for 78.8 million records) and Premera Blue Cross ($6.85M for 10.4 million records).

What are the SEC requirements for reporting a phishing breach?

Since December 2023, SEC rules require public companies to disclose material cybersecurity incidents on Form 8-K within 4 business days of determining the incident is material. Companies must also describe cybersecurity risk management and governance in annual Form 10-K filings. The SEC has taken enforcement actions against companies and individuals for inadequate cyber disclosure.

How much does breach notification cost per record?

The average cost of breach notification is $164 per record according to IBM's 2025 Cost of a Data Breach report. This includes notification letter production, credit monitoring enrolment, call centre operations, and regulatory filing costs. Multi-state breaches in the US face additional complexity as all 50 states have different notification requirements and timelines.

Regulatory Fines for Phishing Breaches: GDPR, HIPAA, SEC & State Laws (2026)

The regulatory cost component of a phishing breach can exceed the direct incident costs. GDPR fines reach 4% of global revenue. HIPAA can cost $1.5M per year. Understand your total regulatory exposure.

Updated 15 April 2026

Regulation	Max Fine	Typical Range	Notification
GDPR (EU)	EUR 20M or 4% of annual global turnover	EUR 50K - EUR 10M	72 hours to supervisory authority
HIPAA (US Healthcare)	$1.5M per violation category per year	$100 - $50,000 per violation	60 days to HHS (breaches affecting 500+ individuals)
SEC Cybersecurity Rules (US Public Companies)	Varies (enforcement actions, settlements)	$200K - $50M (enforcement actions)	4 business days (Form 8-K for material incidents)
PCI-DSS (Payment Card Industry)	$5,000 - $100,000 per month of non-compliance	$5,000 - $100,000/month + card brand fines	Varies by card brand (typically 24-72 hours)
US State Breach Notification Laws	Varies by state ($750 - $7,500 per violation)	Attorney General actions + per-record penalties	30-90 days (varies by state)
NERC CIP (US Energy Sector)	Up to $1M per day per violation	$10,000 - $1M per day	Varies by reliability standard

GDPR (EU)

European Union + EEA

Max Fine

EUR 20M or 4% of annual global turnover

Notification

72 hours to supervisory authority

The General Data Protection Regulation applies to any organisation processing EU residents' personal data. Phishing breaches that expose personal data trigger mandatory notification to the supervisory authority within 72 hours of discovery. GDPR fines are calculated based on the nature of the violation, number of data subjects affected, and the organisation's turnover.

Enforcement Examples

▸British Airways: GBP 20M fine for breach affecting 400,000 customers (reduced from initial GBP 183M)
▸Marriott: GBP 18.4M fine for breach affecting 339 million guests
▸H&M: EUR 35.3M fine for employee surveillance violations

HIPAA (US Healthcare)

United States (healthcare entities)

Max Fine

$1.5M per violation category per year

Notification

60 days to HHS (breaches affecting 500+ individuals)

The Health Insurance Portability and Accountability Act requires covered entities and business associates to protect patient health information (PHI). Phishing breaches exposing PHI trigger notification requirements scaled by number of affected individuals. The HHS Office for Civil Rights (OCR) actively investigates and fines organisations for HIPAA violations related to phishing.

Enforcement Examples

▸Anthem: $16M settlement for breach affecting 78.8 million individuals
▸Premera Blue Cross: $6.85M settlement for breach affecting 10.4 million
▸Banner Health: $1.25M settlement for phishing-related breach

SEC Cybersecurity Rules (US Public Companies)

United States (SEC-regulated companies)

Max Fine

Varies (enforcement actions, settlements)

Notification

4 business days (Form 8-K for material incidents)

Since December 2023, SEC rules require public companies to disclose material cybersecurity incidents on Form 8-K within 4 business days of determining materiality. Companies must also describe their cybersecurity risk management, strategy, and governance in annual reports (Form 10-K). Failure to disclose can result in enforcement actions.

Enforcement Examples

▸SolarWinds: SEC filed charges against the CISO for misleading investors about cybersecurity practices
▸Multiple companies fined for delayed disclosure of cyber incidents
▸Form 8-K filings now required for material phishing-initiated breaches

PCI-DSS (Payment Card Industry)

Global (organisations handling card data)

Max Fine

$5,000 - $100,000 per month of non-compliance

Notification

Varies by card brand (typically 24-72 hours)

PCI-DSS applies to any organisation that processes, stores, or transmits payment card data. Phishing breaches that compromise cardholder data trigger card brand penalties, potential loss of processing privileges, and mandatory forensic investigation (PFI) at the merchant's expense. Average cost of a PCI-DSS forensic investigation: $50,000-$200,000.

Enforcement Examples

▸Target: $18.5M settlement with 47 state attorneys general after phishing-initiated breach
▸Home Depot: $17.5M settlement after breach compromising 56 million cards
▸Average PCI forensic investigation cost: $50,000-$200,000

US State Breach Notification Laws

United States (all 50 states)

Max Fine

Varies by state ($750 - $7,500 per violation)

Notification

30-90 days (varies by state)

All 50 US states plus DC, Guam, Puerto Rico, and the US Virgin Islands have breach notification laws. Requirements vary significantly: California (CCPA/CPRA) allows fines up to $7,500 per intentional violation, while other states impose per-record penalties. Multi-state breaches face the compliance burden of notifying under each state's distinct requirements.

Enforcement Examples

▸California CCPA: $7,500 per intentional violation, $2,500 per unintentional
▸New York SHIELD Act: $5,000 per violation, up to $20 per failed notification
▸Average cost of breach notification: $164 per record (IBM 2025)

NERC CIP (US Energy Sector)

United States (bulk electric system operators)

Max Fine

Up to $1M per day per violation

Notification

Varies by reliability standard

The North American Electric Reliability Corporation Critical Infrastructure Protection standards govern cybersecurity for the bulk electric system. Phishing attacks that compromise operational technology or control systems face severe penalties. Given the critical infrastructure implications, NERC CIP violations carry some of the highest per-day penalties of any regulatory framework.

Enforcement Examples

▸Duke Energy: $10M fine for 127 NERC CIP violations
▸Penalty amounts escalate rapidly for repeated or serious violations
▸Colonial Pipeline incident highlighted regulatory scrutiny of energy sector cybersecurity

Regulatory Cost Estimator

Primary Jurisdiction

Records Affected

Number of personal records potentially compromised

Annual Revenue ($M)

Industry

Notification Costs

$1.64M

$164 per record (IBM 2025)

Estimated Regulatory Fine

$1.00M

Based on jurisdiction and severity

Legal / Class Action Costs

$500K

Average class action settlement: $2.1M

Forensic Investigation

$50K

$50K-$200K typical range

Total Estimated Regulatory Exposure

$3.19M

Notification + fines + legal + forensics

These are estimates for planning purposes only. Actual regulatory fines depend on the specific circumstances of each breach, enforcement discretion, cooperation with authorities, and existing security measures. Consult legal counsel for specific regulatory compliance advice.

Full Cost Calculator

Regulatory fines included in total model

Industry Regulations

Industry-specific regulatory requirements

Regulatory Outcomes

Real breach regulatory consequences

Full data breach cost analysis → DataBreachCost.com