Pedestrians walk past a Neiman Marcus store on the Magnificent Mile March 5, 2009 in Chicago, Ill.
Pedestrians walk past a Neiman Marcus store on the Magnificent Mile March 5, 2009 in Chicago, Ill. - 
Listen To The Story

Another day, another data breach. This time, upscale retailer Neiman Marcus has announced customers who used a credit card at one of its stores during the holiday shopping period may have had their data compromised. Around a million people are estimated to have been affected and Neiman told Marketplace it was informed of the data-breach in mid-December… yeah. Mid-December. And they're not the only ones who have sat on data breach information: Target waited four days to announce that data had been stolen from its shoppers. So this points to an overwhelming question:

What's taking them so long?

"They simply don’t feel like they have enough information to come forward," explains independent reporter, Brian Krebs, who broke the story. He says companies are using that time to figure out how many customers have been affected. "No company wants to be seen as trying to come out with a statement that they think they know how bad it is... and then it turns out, it’s a lot worse."

Kind of like Target, which initially said 40 million customers had potentially been affected by its data breach and now it's saying that's more like 110 million. Larry Ponemon is the Chairman of Ponemon Institute, a reseach company that studies privacy, data protection and information security. He says his studies have shown that PR is hugely important in a data breach and the worse its handled, the more customers a company is likely to lose. "It's called churn: How many  people will stop being your customer as a result of data loss or theft? It can be more than half of the total cost of a data breach."

Ponemon estimates the total cost of Target's data breach will be around $760 million.

But waiting for all the facts can trigger costs of its own, like lawsuits and fines says Ted Julian, Chief Marketing Officer with CO3 Systems, which helps companies manage data breaches. "There are substantial privacy breach disclosure requirements," he says. "Failure to meet those can trigger fines which can add up quite substantially." Julian says there are strict state and federal rules about how soon you have to report a data breach and companies have to get smart about it quickly. All companies. “As people in our industry will tell you, it’s not a question of whether or not you’ve been breached. You have been. It’s just whether or not you know it.”

New resolution for 2014? Pay with cash.

Follow Stacey Vanek Smith at @svaneksmith