8ca38ffb9e
* feat: add data-breach-blast-radius skill for pre-breach impact analysis * fix: resolve codespell false positives (ZAR currency code, SME abbreviation) * fix: remove ZAR abbreviation to pass codespell check
12 KiB
Sources & Validation
Every number, formula, and classification in this skill is sourced from a publicly verifiable primary source. This file exists so contributors, reviewers, and users can independently verify all claims before trusting the output.
If you find a number that is wrong, outdated, or missing a citation — please open a PR against this file.
Data Classification Standards
GDPR Special Categories (Tier 1 classification basis)
- Source: Regulation (EU) 2016/679 — Article 9 "Processing of special categories of personal data"
- URL: https://gdpr-info.eu/art-9-gdpr/
- What it says: Biometric data, health data, genetic data, racial/ethnic origin, political opinions, religious beliefs, sex life/orientation are "special categories" requiring explicit consent.
- Our use: These map directly to Tier 1 in
data-classification.md
PCI-DSS Data Classification
- Source: PCI Security Standards Council — PCI DSS v4.0 (March 2022)
- URL: https://www.pcisecuritystandards.org/document_library/
- What it says: Primary Account Number (PAN), cardholder name, expiration date, service code = cardholder data. CVV = sensitive authentication data. Both must be protected.
- Our use: Maps to Tier 2 PCI-DSS in
data-classification.md
HIPAA Protected Health Information (PHI) Definition
- Source: 45 CFR Part 160 and Part 164 (Health Insurance Portability and Accountability Act)
- URL: https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html
- What it says: The 18 HIPAA identifiers that make health data "protected" — includes names, geographic data, dates, phone numbers, emails, SSNs, medical record numbers, health plan IDs, etc.
- Our use: Tier 1 PHI fields in
data-classification.md
GDPR Fine Formulas
Source: Regulation (EU) 2016/679 — Article 83 "General conditions for imposing administrative fines" URL: https://gdpr-info.eu/art-83-gdpr/
Exact legal text (Article 83.4):
"Infringements of the following provisions shall...be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher..."
Exact legal text (Article 83.5):
"Infringements of the following provisions shall...be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher..."
Our formula: Directly transcribed from Article 83.4 (Tier 1 violations) and Article 83.5 (Tier 2 violations). No interpretation added.
Historic fines for calibration (all publicly verified):
CCPA / CPRA Fine Formula
Source: California Civil Code § 1798.155(a) — California Consumer Privacy Act URL: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.155
Note (as of June 30, 2025): Stats. 2025, Ch. 20, Sec. 1 (AB 137) amended § 1798.155. The administrative fine amounts are now in subsection (a). Old references to
§ 1798.155(b)for fine amounts are incorrect under the amended text. Verify at the URL above for any future changes.
Exact statutory text (§ 1798.155(a) as amended):
"Any business, service provider, contractor, or other person that violates this title shall be liable for an administrative fine of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation..."
Private Right of Action source: California Civil Code § 1798.150 URL: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.150
Exact statutory text:
"Any consumer whose nonencrypted and nonredacted personal information...is subject to an unauthorized access and exfiltration...may institute a civil action for...damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater..."
Our formula: Directly transcribed. $2,500 / $7,500 per violation comes verbatim from § 1798.155(a) (as amended June 30, 2025). $100–$750 private right of action comes verbatim from § 1798.150.
HIPAA Fine Formula
Source: 45 CFR § 160.404 — Civil Money Penalties URL: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
Source (HHS penalty tiers explained): HHS Office for Civil Rights URL: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
HHS OCR penalty tiers (current inflation-adjusted 2024 amounts):
- Tier A (no knowledge): $137–$68,928 per violation, $2,067,813 annual cap
- Tier B (reasonable cause): $1,379–$68,928, $2,067,813 annual cap
- Tier C (willful, corrected): $13,785–$68,928, $2,067,813 annual cap
- Tier D (willful, not corrected): $68,928–$1,919,173, $1,919,173 annual cap
URL for current amounts: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html
Note on our figures: The dollar amounts in regulatory-impact.md match HHS's inflation-adjusted 2024 penalty tiers. HHS adjusts these annually. Always verify against the HHS OCR website for the current year.
Criminal penalties source: 42 U.S.C. § 1320d-6 URL: https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title42-section1320d-6
LGPD Fine Formula
Source: Lei Geral de Proteção de Dados Pessoais (LGPD) — Lei nº 13.709/2018, Article 52 URL: https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
Exact text (Art. 52, I): Fine of up to 2% of revenue of a private legal entity or group in Brazil in its last fiscal year, limited to R$50,000,000 (fifty million reais) per infraction.
Our formula: Verbatim from Article 52.
Singapore PDPA Fine Formula
Source: Personal Data Protection Act 2012 (Singapore) — Section 48J URL: https://sso.agc.gov.sg/Act/PDPA2012
Maximum fine: S$1,000,000 per breach OR 10% of annual turnover in Singapore (if turnover > S$10M) — whichever is higher, per the 2021 amendment.
Breach Cost Benchmarks
Source: IBM Security — "Cost of a Data Breach Report" (published annually since 2005) URL: https://www.ibm.com/reports/data-breach Publisher: IBM Security + Ponemon Institute Methodology (2024 edition): Survey of 604 organizations across 17 industries in 16 countries/regions. Each breach involved 2,170–113,954 compromised records.
Last-verified figures (IBM 2024 edition):
| Metric | Value | Source |
|---|---|---|
| Global average total cost | $4.88M | IBM 2024, p.4 |
| Healthcare cost per record | $408 | IBM 2024, p.12 |
| Average cost per record (all industries) | $165 | IBM 2024, p.11 |
| Average time to identify breach | 194 days | IBM 2024, p.15 |
| Average time to contain breach | 73 days | IBM 2024, p.15 |
| Cost premium for breaches > 200 days | +$1.02M | IBM 2024, p.16 |
| Cost reduction from AI/ML security | -$2.22M | IBM 2024, p.20 |
| Cost reduction from IR planning | -$232K | IBM 2024, p.21 |
| Cost reduction from employee training | -$258K | IBM 2024, p.21 |
2025 update: The IBM 2025 report (live at the URL above) reports a 9% decrease in the global average from $4.88M. The exact 2025 figure requires downloading the report PDF. Skill maintainers: update this table annually when a new edition is published.
Breach Notification Timelines
Blast Radius Formula Basis
The scoring formula structure is adapted from established risk quantification frameworks:
| Component | Based on |
|---|---|
| Tier Weight × Exposure Likelihood | OWASP Risk Rating Methodology — https://owasp.org/www-community/OWASP_Risk_Rating_Methodology |
| Completeness Factor | FAIR (Factor Analysis of Information Risk) model — https://www.fairinstitute.org/ |
| Population Scale normalization | CVSS v4.0 Attack Scale metric — https://www.first.org/cvss/v4-0/ |
| Context multipliers | GDPR recitals 75, 91 (special categories increase risk level) — https://gdpr-info.eu/recital-75-gdpr/ |
What the formula is NOT: It is not a legally recognized standard. It is a planning heuristic based on accepted risk frameworks, producing a relative score to compare exposure vectors — not an absolute prediction of breach cost.
What Is Estimated vs. What Is Exact
| Item | Status | Notes |
|---|---|---|
| GDPR fine maximum (€20M / 4% turnover) | Exact — verbatim from Art. 83.5 | This is the law |
| CCPA fine ($2,500 / $7,500) | Exact — verbatim from § 1798.155(a) (as amended June 30, 2025) | This is the law |
| HIPAA tier amounts | Exact for 2024 — HHS inflation-adjusted | Update annually |
| Blast Radius Score | Estimate — heuristic planning tool | Not a legal or insurance figure |
| Financial impact range ($X–$Y) | Estimate — IBM benchmarks + fine formula applied to population | Not a prediction |
| "Probable" fine amount | Estimate — based on historic fine patterns | Real fines vary enormously by regulator |
| Notification timeline | Exact — verbatim from law | These are hard legal deadlines |