While the decline in costs should benefit businesses, the reason for the decline may not be so reassuring.

"I think the root cause is that people are maybe becoming a little numb to the notification," Dr. Ponemon says when asked to speculate on the driver for the decline in lost business costs. "Maybe most of us by now have received one if not more notifications. Over time, if you don't become a data breach victim as a result of the event, it begins to lose its impact. These notifications are becoming almost ubiquitous. It's hard to determine which ones I should care about."

And, in fact, notification costs were up 10 percent in 2011, from $511,454 in 2010 to $561,495 in 2011. Dr. Ponemon noted that new laws and regulations governing data breach notification played a role in that increase.

The Ponemon Institute also found that organizations that respond to a breach too quickly and send notifications to customers immediately rather than first taking a thorough assessment of the data breach paid on average $33 more per compromised record. Additionally, organizations responding to their first data breach event paid an average of $37 more per compromised record. Data breaches caused by third parties or due to lost or stolen devices also increased the average cost of compromised records by $26 and $22, respectively.

Organizations with CISOs Pay Less