While the size of a data breach is typically measured by the number of (consumer, customer, or user) records exposed or compromised, its economic impact is generally measured from the point of view of the corporation suffering the data breach: cost in crisis management, legal fees, drop in stock price, and so on. This study examines whether it is possible to estimate the true cost, or the social cost of a data breach, measured by the impact on its victims and their out of pocket costs. To accomplish this we establish: (1) the estimation of the average direct financial losses of an identity theft (IDT) victim, including the opportunity cost of lost time, and healthcare expenditures associated with distress associated with identity theft; and (2) the estimation of increases in incidents of IDT that can be attributed to a major breach event. Our findings show that the average social cost per victim has declined significantly since 2016. Furthermore, we find that there is indeed a statistically significant increase in the number of IDTs following a mega-breach event when accounting for a discovery lag of 1-2 months post-breach. Applying our model to real-world cases allows us to estimate an upper and lower bound social cost of specific mega-breach events. We find that for the 2009 Heartland and 2013 Target breaches, even the conservative lower bound social cost estimate exceeded settlements by factors of 5 and 18, respectively. In contrast, the 2017 Equifax breach resulted in a lower bound estimate of $263.8 million, falling well within its $700 million settlement cap. While the Equifax upper bound estimate of $1.72 billion in social cost more than doubles this settlement, the narrowing gap between institutional liability and an incident's social cost provides empirical evidence of a market saturation effect that reduces the marginal damage of individual compromised records over time.

翻译：尽管数据泄露的规模通常以泄露或受损的（消费者、客户或用户）记录数量来衡量，但经济影响通常从遭受数据泄露的企业角度评估：危机管理成本、法律费用、股价下跌等。本研究探讨了是否可能从受害者角度及其自付成本来估算数据泄露的真实成本或社会成本。为此，我们建立：（1）身份盗窃（IDT）受害者平均直接经济损失的估算，包括时间机会成本及与身份盗窃相关的心理健康医疗支出；（2）可归因于重大泄露事件的身份盗窃案件增长量的估算。研究发现，自2016年以来，每位受害者的平均社会成本显著下降。此外，在考虑泄露发生后1-2个月发现延迟的情况下，重大泄露事件后身份盗窃案件数量确实呈现统计学意义的显著增长。将模型应用于实际案例，我们可估算特定重大泄露事件社会成本的上限与下限。数据显示，2009年Heartland泄露事件和2013年Target泄露事件中，即使保守的下限社会成本估算也分别超过和解金额的5倍和18倍。相比之下，2017年Equifax泄露事件的下限估算值为2.638亿美元，远低于其7亿美元的和解上限。尽管Equifax事件17.2亿美元的社会成本上限估算值使和解金额翻倍以上，但机构责任与事件社会成本之间缩小的差距，为市场饱和效应提供了实证证据——该效应会随时间推移降低单个受损记录的边际损害。