"Nearly shocking to me, the cost of data breach declined," says Dr. Larry Ponemon, chairman and founder of research think tank Ponemon Institute. "It's still not chump change."

The study found the average organizational cost per data breach was $5.5 million in 2011, down 24 percent from $7.2 million in 2010. Additionally, the cost per compromised record fell to $194 per record, down $20 (10 percent) from 2010. That's the lowest cost per compromised record since 2007.

Ponemon Institute has conducted this benchmark study for seven years using the activity-based costing model developed by Harvard University Professor Robert S. Kaplan. Dr. Ponemon explains the model starts with the detection or study of a data breach incident and takes into account forensic and investigative activities, incident response, notification, legal, consulting, outbound communication and call center activities, activities to maintain customer confidence and trust, direct churn, secondary churn and increased customer acquisition costs. The study investigated 49 actual data breach incidents across 14 industry sectors in the U.S.

A decline in lost business costs—abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill—drove the overall decline in data breach costs. Lost business costs fell to $3.01 million in 2011, down 34 percent from $4.54 million in 2010.

Data Breach Notifications Too Rapid?