The cost of cleaning up after a data breach is declining, new data suggest.

After generally rising for seven years, the average cost to organizations to take appropriate action after sensitive account data are exposed fell 9.3% last year, to $194 per account from $214 in 2010, the results of a new study the Ponemon Institute LLC released this month show.

But data breaches are still expensive.

Based on an industry average of about 28,000 breached records per incident, the average total cost to an organization of coping with a data breach last year was $5.5 million, down 23.6% from $7.2 million a year earlier, Ponemon estimates in its 2011 Cost of Data Breach Study, which Symantec Corp. cosponsored. Symantec provides an array of Internet security and fraud-detection services.

Traverse City, Mich.-based Ponemon during 2011 studied 49 companies in 14 industry sectors that experienced a serious data breach, interviewing key personnel about the direct and indirect costs of the incidents.

Direct costs to organizations in the wake of a data breach typically begin with orchestrating an announcement because 45 U.S. states have enacted laws requiring owners of databases to inform individuals of the data exposure.

Additional direct costs include hiring forensics experts to investigate the breach's cause and remedy the situation and providing customers with a hotline or other support and free credit-monitoring, the firm notes.

Indirect costs, which vary widely, can include loss of customers and reputational damage, the study report suggests.

For the first time since 2005, when Ponemon began studying the effects of data breaches, organizations said they experienced fewer customer defections following breaches. As a result, the estimated cost of lost business resulting from a breach fell 33.7% last year, to $3.01 million from $4.54 million a year earlier, Ponemon says.

Broader awareness of publicity surrounding data breaches may be the reason customer defection is softening, as are organizations' improved capabilities in coping with breaches, Mike Urban, director of financial crimes solutions at Fiserv Inc., tells PaymentsSource, a Collections & Credit Risk sister publication.

"The publicity surrounding some of the biggest breaches over the past couple of years got a lot of attention ... consumers noticed, and directors realized that data-breach damage could actually affect a company's stock price," Urban says.

One example he cites is the high-profile data breach of Heartland Payment Systems Inc. in 2008. That breach helped to "created a lot of awareness at the top level" of organizations that subsequently stepped up their systems to prevent and react to data breaches and to reassure customers they would not directly be exposed to financial losses, Urban says.

"Organizations have since made a lot of investments in securing data and in training people to respond to them," he says.

But despite an apparent easing in the costs of data-breach recoveries, organizations should be on guard more than ever to protect against new types of data breaches as criminals explore new channels, Urban says.

"Criminals are just working harder now to find new ways to attack companies' data, ... and nothing that's connected to the Internet is truly impenetrable," he warns.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry