But one disconcerting pattern the Ponemon study picked up on in last year's round of data breaches is that the faster a company moved to notify victims of the breach, the higher the costs.
About 41% of the respondents in the study said their organization had notified victims within one month of discovering the data breach, up from 36% in 2009. But these so-called quick responders paid $268 per record, up 22% from 2009 — and substantially more than companies that took longer, which paid $174 per record, down 9% from 2009.
Costs pile up in a rush to make a one-month or less reporting time deadline and don't necessarily mean companies are doing a better job in the forensics of understanding exactly what happened to them in the data breach, says Ponemon. Instead, it seems to lead to an "over-reporting phenomenon" where more records than were actually in the data breach are reported and publicly disclosed. This may be happening because companies are afraid they will have problems with state or federal regulators or class-action lawsuits if they delay past the one-month timeline, he said.
The Federal Trade Commission, for one thing, has talked about one month as a guideline for healthcare, Ponemon noted.
This year, Symantec, which sponsored the report, worked with Ponemon Institute to come up with an online cost of a data breach calculator which lets organizations plug in variables that will give them an idea of what kind of data-breach costs they might incur, based on statistical data Ponemon has collected about industry, size, number of records and other factors.
Sign up for Computerworld eNewsletters.