Companies are failing to disclose data security breaches to clients.
A security survey of 300 companies by IT services firm Logica found only 40% of organisations whose data is breached tell clients.
Only half of firms who had suffered a breach told the police or the authorities.
More than half of companies failed to understand the impact of a security breach, said Logica.
More than 50% of firms believed security was the responsibility of the IT department.
Tim Best, director for enterprise security solutions at Logica, said: "Data losses put customers at risk and can lead to large contracts being withdrawn. With some organisations failing to disclose security breaches, this complacent attitude not only increases the likelihood of financial and reputational consequences, but also highlights the inadequate security policies and protocols that UK organisations have in place."
Tim Best said: "It is time to take action, it should be mandatory for all organisations to report significant breaches of confidential personal information to the Information Commissioner or their regulatory body. Only through mandatory reporting will the scale of the problem be understood, which will lead to the correct solutions being applied."
The survey found that only 30% of firms educate staff in IT security and information handling procedures on a regular basis, with less than a third employing a specific security incident response team.
Read more about data security: