The problem of data breach incidents in the United States has been attracting the attention of researchers and practitioners recently. Commercial entities and government agencies who obtain and process personal information face the risks of the breach of personal information and consequently legal, reputational, and financial damages. The risk management approach to information security is common to manage and mitigate those risks. This paper aims to estimate the probability of the occurrence and size of data breach incidents for government and commercial entities by devising a predictive model with historical data as its input. We used a dataset of all reported data breaches in the US collected and published by Privacy Rights Clearinghouse (PRC). The results show that the trend of a data breach has not been increasing despite all the attention and warnings. The distribution of data breach occurrence follows the Poisson and Negative Binomial distributions closely. Both models proved promising and can predict data breach incidents with low deviance from actual numbers.