What a data breach really costs: the bill arrives for years, and the fine is the smallest part
18 July 2026 · 7 min read · INTO MSP team
When a data breach comes up, the owner of a small business usually thinks of one thing: the fine. And usually concludes that this happens to big companies, that regulators do not look at small ones, and that the risk is theoretical. This week brought two reminders that the bill looks different, and that it keeps arriving long after the intrusion itself.
23andMe, the genetic testing company, agreed to an 18 million dollar settlement with US state attorneys general over failures to protect customer data. The breach happened back in 2023. The bill, in other words, arrived three years later, on top of everything the company had already paid in the meantime. The same week, the Italian regulator fined a telecom operator 1.7 million euros over data leaks. Ransomware groups, meanwhile, have refined a model where they no longer even need to lock your systems: publishing "evidence" that they hold your data and waiting is enough.
None of these companies is small. But the mechanics of the bill are the same for everyone; only the zeros differ. It is worth understanding before it becomes personal.
The bill has four parts, and the fine is only one
The first item is the direct cost of the incident: downtime, system recovery, forensics, rebuilding what was destroyed, overtime. You pay this immediately, while you still do not even know exactly what happened. For a small business this is often the largest item, because it is measured in days when nobody is doing their actual job.
The second item is legal: the regulator's proceedings, a possible fine, and increasingly lawsuits or settlements with the people whose data leaked. The 23andMe case shows this item stretches over years, and the settlement can exceed any fine.
The third item is commercial, and no report ever lists it: the clients who leave. A company that works with an accountant, a lawyer or an IT partner entrusts them with its data. When that data leaks, the contract does not end with drama. It simply does not get renewed. For a service business this item can outweigh all the others combined.
The fourth item is management time. The months the owner spends on lawyers, the regulator and unsettled clients are months not spent on the business.
What the regulator actually asks
The good news, which few people know: GDPR does not demand perfect security. It demands appropriate measures and proof that they exist. When an incident happens, the regulator's questions come down to this:
- Did you have basic protective measures, appropriate to the kind of data you hold
- Did you report the incident within the deadline, which is measured in hours and days, not weeks
- Can you show what happened, to which data, and when
- What have you done so it does not repeat
A company that has answers to these questions, and paperwork to back them, goes through the process incomparably more easily than a company that shrugs. The difference is not whether the incident happened, but whether a documented system stands behind the business: a data inventory, access control, logs, a tested backup, a reporting procedure. We covered the compliance minimum in our GDPR article, and companies falling under NIS2 rules carry additional obligations on top.
Why a small business is in a worse position than a large one
A large company survives a breach: it has reserves, a legal team and insurance. A small business has none of those, and the attacker does not care. If anything, a small business is the easier target precisely because it assumes it is not a target. We took that assumption apart in our ransomware article: attackers do not pick the big, they pick the unprotected.
There is a second angle that is easy to miss: a small business is somebody's supplier. If your systems are used as a way into your client, you are no longer talking only to the regulator but to your client's lawyers. Contracts with larger partners increasingly contain security obligations, and breaching them is a cost of its own, independent of any fine.
What is worth doing before the incident
Everything the regulator and your clients will demand after an incident is cheaper to set up before it:
- Know what data you hold, where, and who has access to it
- Basic access hygiene: MFA, least privilege, closing old accounts
- A backup that has been tested by restoring, not just configured
- Logs of who did what, so you are not guessing after an incident
- A short written procedure: who calls whom, who reports, who talks to clients
None of this is an investment in "maybe". It is the difference between an incident that is an unpleasant episode and an incident that becomes a multi-year cost with an uncertain end. The bill for a data breach cannot be negotiated down, but it can be made small, and only in advance. If you do not know how your company would answer the regulator's four questions from this article today, that is the place to start.
Want this handled, without the drama?
INTO MSP runs security, backup and IT for small and mid-size companies. Step one is a short, no-obligation review.
IT Consulting & vCIO → Contact