Ponemon Institute has issued its annual report on the cost of data breaches. I wrote last year about using per record costs for data breaches. An excerpt:

It is common when estimating costs of data breaches to quote costs “per record”. Most recently, Ponemon Institute released a study that asserted a cost of $202 per record for data breaches. But here’s the problem — the bulk of the costs of breaches are not variable costs (or at least it isn’t clear to me that they are). These costs appear to be fixed costs.

This year’s per record costs came out to about $204. I was considering an attempt at parsing out fixed and variable costs to provide a better way to characterize the breach event, but in reading the report I came across this assertion:

As in prior years, data breach cost appears to be linearly related to the size or magnitude of the breach event.

So, I interpret this to mean there is a correlation between costs and number of records. It would be great to verify this claim. Can anyone come up with an alternate explanation?