According to a new survey from the Ponemon Institute, a privacy research firm, data breaches cost U.S. companies $6.65 million last year. That's up from $6.3 million in 2007.

The firm's fourth annual U.S. Cost of Data Breach Study examined 43 organizations across 17 industry sectors to break down data-breach costs. The costs are rising, with incidents costing U.S. companies $202 per compromised customer record in 2008, compared to $197 in 2007.

The largest cost increase in 2008 was due to lost business created by customer turnover. Since 2005, the first year for the study, the churn rate cost has grown by more than $64, or 40 percent, on a per-victim basis.

"After four years of conducting this study, one thing remains constant: U.S. businesses continue to pay dearly for having a data breach," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy."

Breaking Down the Numbers

The average churn rate was 3.5 percent, but health-care companies experienced 6.5 percent and financial-services companies 5.5 percent. According to Ponemon, that indicates the sensitivity of the data collected and customer expectations that the information will be protected.

Slicing the data another way reveals third-party organizations accounted for more than 44 percent of all cases in the 2008 study and cost the most due to additional investigation and consulting fees. More than 84 percent of 2008 cases involved organizations that had more than one data breach. Noteworthy is the fact that more than 88 percent of all cases involved insider negligence.

On the positive side, more than half the respondents believe training and awareness programs help prevent breaches and 44 percent have expanded the use of encryption. And the most significant cost decrease was seen in activities relating to post-breach response, which indicates that organizations are becoming more cost-effective in managing breaches.

"In this current economic climate, U.S. businesses can't afford to give their customers any reason to go elsewhere," said Phillip Dunkelberger, president and CEO of PGP, which owns the Pretty Good Privacy code. "This study continues to show that the results of a data breach can seriously wound a company's bottom line and reputation. This begs the question: When are organizations going to get proactive about protecting their critical data?"

Closing the Gap

According to Michael Argast, a security analyst at Sophos, recent legislation requiring disclosure has driven up the costs of data breaches for companies as consumers become more aware of the risks to their data and the importance of security at the companies which hold that data.

Financial organizations and health-care organizations are especially at risk, he added, due to the potential financial and privacy risks associated with their data.

"Hopefully the extreme costs associated with these losses will cause organizations which were previously lax to take a more aggressive approach to safeguarding their data," Argast said. "Increasing the scope of encryption technology, combined with enforcement mechanisms to ensure its use, will help. Users continue to be a weak link -- policy-enforcement mechanisms combined with improved user education will help close that gap."