The loss of CDs containing the personal data of 25 million UK citizens has rightly caused an outpouring of “shame on you” on HM Revenue and Customs (HMRC), and prompted such questions as: “How could you let this happen?” But the real question we should ask is: “Who else has lost my data that I have not been told about?”

Companies of all sizes, and local and national government, hold huge amounts of very private information on virtually everyone in the UK. Amazingly, there are no laws to force them to protect that information, or to tell you if your unencrypted information is lost or stolen.

It is cheaper for a firm to say and do nothing if it loses Joe Public’s private information, rather than to do the right thing — ensure that all the data is encrypted, or tell consumers if there is a risk their private data may have fallen into the wrong hands.

The situation in the US today is very different. Following some very high-profile data thefts, many states have enacted so-called data breach notification legislation.

Put simply, this legislation says if you lose customers’ personal identifiable information and it was not encrypted, you must notify everyone likely to be affected. Many states have also included additional consumer protection, such as one year’s free credit monitoring services.

The US federal government ­ immune from state legislation ­ has also mandated strict data security standards for itself. Following an incident similar to the HMRC’s, President Bush issued a mandate that all government departments must implement data encryption.

In that breach, a laptop containing health and financial information on 26.5 million veterans was stolen from an employee’s home.

The net effect of US legislation has been to change the economic balance of data security. Now, it’s cheaper to implement a good data security solution than to bear the cost of a data breach notification.

When items such as credit monitoring are added in, it is estimated that the average cost of a breach notification following the loss of unencrypted data is in the region of $90-$140 (£45-£70) per customer record.

So, if the loss involved 100,000 customers, this will typically cost a company on average $11.5m (£5.8m). The cost of a good data security solution is much less.

US legislation has not stopped data theft, but it has provided insurance for affected consumers by forcing companies and the government to either protect consumers’ data, or come clean when they lose it. It has also put the spotlight on companies that fail to protect consumers.

The UK government must follow the US government’s lead. It must enact legislation to protect consumers against data theft and the subsequent risk of identity theft. If nothing else comes out of the HMRC incident, let this be a lesson learned the hard way.

Richard Stone is marketing vice president for Credant Technologies and a BCS contributor