Costs to Epsilon's customers could be $5.5 million each for notification of their customers about the theft, settlements to those customers, legal defense, compliance adjustments and loss of business, the report says.

Epsilon's costs will include all of those factors plus a forensic investigation into how the breach happened, regulatory investigations and fines, CyberFactors says.

Typically with breaches, these costs come stumbling in over several years, with about 51% being realized in the first year and 42.2% in the second year, with the remaining 6.8% coming in at three years or later, the report says.

If Epsilon does lose customers because of the breach -- this would be measured by abnormal churn among the customer base -- lost revenues would range from $6.1 million if 1% are lost, to $30.6 million if 5% are lost, the report says.

CyberFactors assumes in its figures that the Epsilon customers whose data was breached had roughly equal numbers of emails compromised.