This is the third year that the Ponemon Institute has conducted its "U.S. Cost of a Data Breach" survey; the average per-incident cost has climbed each year. The increase between 2005 and 2006 was particularly steep, clocking in at over 40 percent.

The precise number of consumer records compromised by security breaches each year is difficult to determine. However a running estimate compiled by the Privacy Rights Clearinghouse lists incidents in which at least 216 million customers have had their data security compromised. On the basis of that figure, lost and compromised data is costing U.S. businesses tens of billions of dollars each year.

"And keep in mind," said Beth Givens, the director of the Privacy Rights Clearinghouse (PRC), in a telephone interview, "in many cases the number of people affected is unknown. So that figure (216 million) is very conservative. The real total could easily be twice as high."

Disgruntled Customers

The Ponemon Institute reported that the total per-incident cost increased more than 30 percent, from $4.8 million to $6.3 million, and that nearly two-thirds of the cost in each incident was lost business opportunities from disgruntled customers.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement announcing the study results that corporate data security remains a persistent problem. "The data from 2007 suggests that although companies are responding to data breaches more efficiently," Ponemon noted, "consumers seem to be less forgiving when their personal information is compromised."

Part of their impatience might stem from the fact that companies share private information too easily or without sufficient safeguards. The study revealed that corporate data is particularly vulnerable to breaches by business partners, outsourcers, contractors, and consultants.

Nearly half the companies surveyed reported data security breaches by organizations not under the direct control of the corporation; not surprisingly, those types of breaches were significantly more expensive ($231 per record) than the corporation's own lapses ($171 per record).

Carelessness Difficult To Stop

It's not difficult to have some sympathy for corporations; it might simply be impossible to devise a data-security program that will prevent all breaches effectively, without making the system entirely unusable by the company's employees. And that doesn't even take into account the hundreds and thousands of hackers who work tirelessly to crack corporate systems.

Nonetheless, it is clear that consumers are running out of patience with careless handling of their data, and increasingly concerned about the risks of identity theft. The PRC's Givens said that there are several steps that organizations collecting data can take to minimize the risk of data breaches.

"First," she said, "an organization should ask whether it actually needs to collect sensitive customer data. Second, if it does collect sensitive data, then it is important that it encrypt it in case it does get lost or stolen. And third, the organization should restrict access to the data to those who actually need to work with it."