Average per-record cost of a data breach has increased from $138 per victim in 2005 to $204 in 2009.

The customer cost to companies who suffer data breaches increased slightly over the last year, as did the average cost per incident, according to a recent report.

Compared to 2008, when the average per victim cost for a data breach was $202, the cost last year was $204, it was reported in the fifth annual U.S. Cost of a Data Breach study conducted by the Ponemon Institute, of North Traverse City, Mich. and sponsored by the PGP Corporation, of Menlo Park, Calif.

Also increasing a tad was the average cost per incident, to $6.75 million from $6.65 million in 2008. Although the cost of each incident climbed, the actual number of incidents declined by 24 percent, to 498 from 657 in 2008.

Although the direct costs attributed to data breaches declined in 2008, they showed a significant increase in 2009, according to the study, which analyzed 45 cases in 15 industries including financial, retail, healthcare, services, education, technology, manufacturing, transportation, consumer, hotels, leisure, entertainment, marketing, pharmaceutical, communications, research, energy and defense. Cases involved as few as 5000 records to as many as 101,000 records.

Direct, or ex-post, costs atributed to breaches, the researchers found, jumped to $60 from $50 in 2008. “One of the main reasons for an increase in ex-post response costs is due to the increase in legal defense costs,” they maintained. “This can be attributed to increasing fears of successful class actions resulting from customer, consumer or employee data loss.”

By contrast, indirect costs, which includes the cost of people ditching a company that’s told them their personal information may have been compromised in a data breach, dipped to $144 from $152 in 2008. Companies experiencing a data breach can expect 3.7 percent of those directly affected by the event to cut ties with the business. That’s a slight increase over 2008 when the figure was 3.6 percent.

That 3.7 percent is just an average, though. For certain industries, the churn is much higher. For pharmaceuticals, communications and health care, the rate is six percent; for financial services, it’s five percent.

Overall, 40 percent of the costs attributable to a data breach can be tagged to customer churn. That’s actually a decrease from the previous two years–41 percent in 2007 and 43 percent in 2008.

Two growing cost areas, according to the study, are audit and consulting services, which increased to 12 percent in 2009. When the annual study was launched in 2005, that category accounted for only eight percent of costs. But the biggest gainer in the mix was legal services for defensive purposes. They accounted for 14 percent of costs in 2009. A scant five years ago, they were only five percent of the mix.

More than 82 percent of the companies in the sample had experienced more than one breach involving 1000 records or greater. Costs were higher for companies experiencing their first data breach compared to repeat victims, the report noted. Cost per victim for first timers was $228, compared to $198 for repeaters. “This finding suggests companies that experienced data breaches become more efficient at managing costs over time,” the researchers deduced.

Although malicious activity by information highwaymen grab most of the headlines about data security, it was low man on the totem pole as far as the causes of the data breaches studied by the researchers.

What was the number one cause of data breaches? According to the study, third-party foul ups (42 percent), followed by negligence (40 percent), lost or stolen devices (36 percent), system glitches (36 percent) and in the basement, criminal or malicious attacks (24 percent).

Third-party snafus are a costly kind of data breach because of additional investigation and consulting fees connected to them. The cost is even higher if the third-party is located offshore. The report said that the average per victim cost of a third-party breach was $217, compared to $194 for a non third-party incident.

Laptop thefts also lead to costly data breaches, the report noted. Per victim costs for breaches created by that activity were pegged at $225, $30 higher than non-laptop breaches.

Although data breaches caused by malicious attacks weren’t as common as those caused by insider negligence and system glitches, they were, at $215 per victim, more costly than other causes. Per victim costs for breaches caused by negligence were $154 and for glitches, $166.