The Math Nobody Does Before Something Goes Wrong

Most small business owners have never run this calculation. When they imagine a data incident, they picture either nothing or catastrophe, with nothing in between. The reality is grimmer than nothing and cheaper than catastrophe, which makes it real.

Here's what an AI-related data incident costs at a 25-person manufacturing operation, broken down by the actual line items that hit your bank account before anyone has filed a lawsuit.

A note on data security:
The risks covered in this article are real and they are happening in companies like yours right now. The single most effective first step is a written AI Acceptable Use Policy that tells your employees exactly what they can and cannot put into AI tools — before something goes wrong. If you don't have one, that's the place to start.

The First 48 Hours

Legal consultation to determine notification obligations: $300-500 per hour, minimum 3-5 hours = $900-2,500. This is you calling a lawyer because you're now not sure what you're legally required to do. The call is expensive and it happens first because you don't know what happens next.

Determining the scope of the incident: If an employee accidentally pasted client data into a public AI tool, you now need to figure out what data, which clients, and how to tell them. If it was a supplier's proprietary information, you're determining whether the NDA has been violated. If it was internal payroll data, you're assessing ERISA implications. Scope assessment: budget another $1,000-2,000 in staff time and legal review.

State Notification Requirements

Most states now have data breach notification laws. They vary. Some require notification within 30 days. Some within 72 hours. Some require notification to the state attorney general in addition to affected individuals. Some states are lenient if the breach is unlikely to cause harm. Some are not. You cannot know your obligations without understanding your state's specific law, which means you're back to the lawyer.

State-specific legal review and compliance: $500-1,000. This is just to figure out what the law requires. That's not the notification itself.

Client Notification

You have to tell the clients whose data may have been exposed. Assuming you have between 15 and 50 active clients at a typical small manufacturing operation, you're now drafting a letter, getting legal sign-off on that letter, and sending it.

Template letter development and legal review: $800-1,200.

Printing and distribution: If you're mailing physical letters (legally safer), budget $300-500 for printing and postage.

Time for staff to answer the phone calls that follow: Clients are going to call. You need someone available to answer their questions. Budget 10-20 hours of staff time. At $20/hour loaded cost, that's $200-400.

Subtotal for client notification: $1,300-2,100.

Reputational Damage

This is the hardest to quantify because it doesn't show up as a single invoice. It shows up as a client who was already thinking about finding another vendor, and who uses the incident as the reason to leave. It shows up as a prospective client who heard about the incident and never calls.

At a typical 25-person manufacturing operation, the average client relationship lifetime value is $15,000-50,000 depending on the industry and contract size. A single client who leaves directly after you notify them of a data incident is not a one-time cost. It's a lost revenue stream.

For this calculation, assume you lose one client. Not catastrophically—just one. That's $15,000-50,000 that does not hit your revenue this year.

Total Plausible Cost for a Minor Incident

Legal consultations and state compliance: $2,400-4,500.

Client notification and management: $1,300-2,100.

Lost revenue from client attrition: $15,000-50,000.

Total: $18,700-56,600 for a minor incident at a 25-person company.

That's before anyone sues anyone. That's before the incident even qualifies as a "breach" under most state definitions. That's the cost of a situation where an employee pasted client financial data into ChatGPT without malicious intent, it was discovered, and you did everything correctly.

The Contrast

The AI Training Kit is $997, one-time. Permanent license.

At a 25-person company, that works out to $38.08 per employee, per head, one time.

For that single investment, you get a written AI Acceptable Use Policy that tells your employees exactly what they can and cannot put into AI tools. You get a five-week email training series that deploys in under an hour. You get a Risk Audit Card that your management team uses to review your actual exposure. You get the templates and documentation that serve as proof—to clients, to regulators, to a lawyer if the conversation ever goes that far—that you took this seriously before something happened.

The math is arithmetic, not strategy. A minor incident costs between $18,700 and $56,600. A permanent license to prevent the incident costs $997.

That's not insurance. That's basic business mathematics.

The AI Training Kit is $997, one-time. Permanent license. Distribute to all current employees. The protection starts with the first email.