THE LAST time your company sent confidential data, was it "desensitised" and transmitted by the most robust security protocols? Or if transported physically by courier, was it dispatched under the watchful eye of a senior manager, tracked along a pre-planned route with a full audit trail from beginning to end, monitored by satellite, and its safe arrival electronically timeously confirmed?

Two discs containing highly sensitive details of 7.25 million families affecting 25 million individuals relating to child benefits were consigned to the National Audit Office by a "junior official" in an ordinary postbag without even the most basic security arrangements. The HMRC's employee, who is now under 24-hour protection in a safe house, did not even follow the NAO's specific instructions to desensitise the information by removing data it did not need but that could be exploited in the wrong hands, as this surely will be.

Much worse, when the discs failed to arrive, nobody in a senior position was told in the vain hope they might make their miraculous way to the rightful destination.

While the Revenue & Customs and the luckless Chancellor Alistair Darling turn themselves in knots over the blunder, there are obvious and profound implications for the commercial world. Loss of sensitive data, whether of commercial or individual significance, will soon cost a bomb. And not only in terms of the business. Third-party suits for negligent handling of personal information will increasingly carry severe financial penalties.

It is inevitable, say data security experts, that Revenue & Customs's gaffe will trigger new data protection law. A director of Symantec, the internet security firm, sees the case as a "tipping point". EU laws on disclosure of such breaches, for instance, may well be widened to require all companies to notify the slip-ups to regulators as well as to the individuals concerned, plus notify them of planned remedies.

In some US states, such as California, where these requirements are in place, regulators report an improvement in data protection behaviour. Simply put, because any mistakes will rebound on the company there is an incentive to sharpen up.

Recent surveys show that customers prefer it this way. Nine out of 10 people in Britain are concerned at the way all kinds of institutions protect personal data. Given that level of anxiety, the day when the issue turns into a fundamental tenet of the business model cannot be too far away.

Consumers may be right in their anxiety, according to the findings of an August report by a Lords committee on the issue. It found that wholesale identity theft, the prospect raised by the missing Revenue & Customs discs, is rife. The Financial Services Authority guesstimates its cost at around £1.7 billion a year. A dedicated police squad told the committee about a thriving black market for personal data with scale of costs depending on its usefulness. The full info - mother's maiden name, passwords, address details, dates of birth etc - fetches about £100.

Although the banks did sterling work in a hurry to protect the 7.5 million families before Darling broke the news of the data loss, the committee was unimpressed by their commitment to the issue of protecting customers from cyber fraud. "Extraordinary complacency", was its verdict about the attitude of Apac, the payments network body. "The banks make profits because they are deemed to be a safe repository for their customers' money, and inevitably that money, not the banks' own, is the target of criminals," it reported. What is needed, the committee concluded, is "incentives to overcome this complacency". These were lacking because the banks in particular were able to offload risks on to customers and merchants.

Surprisingly, when these points were made to relevant ministers, it met with a lukewarm response. Now we have the result.

Meanwhile it is revealing that, while the Lords were digging into cyber crime, Gordon Brown had announced yet another inquiry into the security of personal data, this time by the Information Commissioner, and ordered spot checks of data protection observance by officials. A good idea, but any decent business would have made that mandatory long ago, given the risks.

And yet Revenue & Customs remains a serial offender. In May, a faulty printer was apparently the culprit for 42,000 individual bank accounts being revealed to others. Three months ago HMRC lost in transit the records of 15,000 people. And for the 12 months to September, 41 laptops went missing, all of them containing confidential data.

As the Lords concluded, it is not necessarily more advanced levels of technology that will solve the problem but legal or other incentives to force government and business to take responsibility for confidential information. These are surely on the way.