Data Methodology

Enforcement action data is collected from official Data Protection Authority (DPA) publications across Europe, India, the United States, and other jurisdictions. Each action is recorded with the organization name, issuing authority, regulation violated, fine amount in the original currency and EUR equivalent, violation types, industry classification, and a severity score.

Fine amounts in non-EUR currencies are converted using the exchange rate at the date of issuance. Where fine amounts are expressed as a range, we record the upper bound. Severity scores (1-10) are computed based on fine magnitude relative to the issuing authority's typical range, the nature of violations, and whether the action involved repeat offenses.

Breach data is sourced primarily from Have I Been Pwned (HIBP), supplemented with breach disclosures from SEC filings, DPA notifications, and news reporting. Each breach is enriched with industry classification, attack vector categorization, affected data types, and estimated financial impact.

Records affected counts reflect the number of unique accounts or records compromised as reported by the breached organization or verified through HIBP. Financial impact estimates use the IBM/Ponemon Cost of a Data Breach methodology applied to the number of records and industry sector.

Regulatory data covers privacy law status, cybersecurity law status, and AI governance status for 174 countries. Each country profile includes the law name, enactment year, DPA name, robustness assessment, breach notification requirements, DPO obligation status, cross-border transfer restrictions, and EU adequacy decisions.

Robustness assessments (heavy, moderate, limited, inadequate) are based on the scope of the law, enforcement mechanisms, individual rights granted, and international benchmarking. AI governance data is sourced from the OECD AI Policy Observatory and manual verification of national AI strategies and regulations.

Ransomware incident data covers publicly documented attacks with known ransomware groups, ransom demands, payments, and organizational impact. CISA Known Exploited Vulnerabilities (KEV) data is sourced directly from the CISA catalog and cross-referenced with ransomware campaign attribution.

Ransom demand and payment figures are sourced from public disclosures, SEC filings, and investigative reporting. Where exact amounts are not publicly available, we note the source's confidence level. Incidents with unverified ransom amounts are excluded from aggregate totals.