The average organizational cost of a data security breach in the U.S. dropped 24 percent to $5.5 million in 2011 from $7.2 million in 2010, according to the latest report from the Ponemon Institute.
Based on the data breach experiences of 49 companies from 14 industries, including healthcare, the average cost per record also dropped from $214 to $194. This was the first time in the seven years for which the Ponemon Institute has done this survey that this cost declined.
Ponemon believes the lower per-record cost of data breaches shows that "organizations are becoming better at managing the costs incurred to respond and resolve a data breach incident," according to a company announcement.
Moreover, the report points out, 45 states have enacted laws requiring organizations to inform affected individuals about data security incidents. "As a result, we believe organizations are taking the protection of sensitive and confidential data more seriously in order to avoid costly fines and loss of reputation and brand," the report states.
The healthcare industry, however, is apparently lagging behind other industries in this regard. In an earlier report, Ponemon found that health data breaches increased 32 percent from 2010 to 2011 and that the average cost per organization grew 10 percent last year.
A recent Redspin report on the state of health IT security similarly found that the total number of health records breaches are up--in fact that report says they increased 97 percent from 2010 to 2011. Redspin attributed 60 percent of the incidents to hacking attacks.
Across industries, in contrast, malicious hacking accounted for only a bit more than third of data security breaches, according to the Ponemon report. But that was the highest percentage in the seven years since the institute began publishing these reports. Negligent insiders accounted for 39 percent of the security incidents.
Organizations reporting their first-ever data breach lost an average $37 per record. Those that notified customers too quickly, before thoroughly assessing the security incident, surrendered an additional $33 per record. Data breaches caused by third parties or a lost or stolen device increased the cost by $26 and $22, respectively.
Healthcare did not have the highest per-record or per-capita cost of data breaches. Its average per-capita cost of $240 was exceeded by those of the communications ($334), pharmaceutical ($276) and financial ($247) industries, the report found.