Estimating the Social Cost of Corporate Data Breaches

Computer Science > Cryptography and Security [Submitted on 22 Mar 2026] Estimating the Social Cost of Corporate Data Breaches Lina Alkarmi, Armin Sarabi, Mingyan Liu While the size of a data breach is typically measured by the number of (consumer, customer, or user) records exposed or compromised, its economic impact is generally measured from the point of view of the corporation suffering the data breach: cost in crisis management, legal fees, drop in stock price, and so on. This study examines whether it is possible to estimate the true cost, or the social cost of a data breach, measured by the impact on its victims and their out of pocket costs. To accomplish this we establish: (1) the estimation of the average direct financial losses of an identity theft (IDT) victim, including the opportunity cost of lost time, and healthcare expenditures associated with distress associated with identity theft; and (2) the estimation of increases in incidents of IDT that can be attributed to a major breach event. Our findings show that the average social cost per victim has declined significantly since 2016. Furthermore, we find that there is indeed a statistically significant increase in the number of IDTs following a mega-breach event when accounting for a discovery lag of 1-2 months post-breach. Applying our model to real-world cases allows us to estimate an upper and lower bound social cost of specific mega-breach events. We find that for the 2009 Heartland and 2013 Target breaches, even the conservative lower bound social cost estimate exceeded settlements by factors of 5 and 18, respectively. In contrast, the 2017 Equifax breach resulted in a lower bound estimate of 263.8 million, falling well within its 700 million settlement cap. While the Equifax upper bound estimate of $1.72 billion in social cost more than doubles this settlement, the narrowing gap between institutional liability and an incident's social cost provides empirical evidence of a market saturation effect that reduces the marginal damage of individual compromised records over time. Comments: Accepted to WEIS 2026 Subjects: Cryptography and Security (cs.CR); Computers and Society (cs.CY); Social and Information Networks (cs.SI) Cite as: arXiv:2603.21270 [cs.CR]   (or arXiv:2603.21270v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2603.21270 Focus to learn more Submission history From: Lina Alkarmi [view email] [v1] Sun, 22 Mar 2026 14:57:44 UTC (254 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-03 Change to browse by: cs cs.CY cs.SI References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)