Stronger penalties needed to force better data handling - I don't think so

An article by Ron Cond on on sear states..

Security experts agree that until the Information Commissioner’s Office

(ICO) is given the power to impose hefty fines on those who break the

Data Protection Act, companies will continue to treat information with

what one expert described as “reckless disregard.” 

I disagree, but then nobody asked for my opinion on this one. Maybe I don’t yet mix in the right circles or get invited to the best parties where all the experts are gathering. I certainly don’t know Alan Calder, chief executive of IT Governance Ltd, one of the experts quoted in the article as stating that  Companies should always ensure that PID (personally identifiable data)

is destroyed on their premises and not left to a third-party. That’s nuts. I’d rather not leave it up to the IT department, brilliant and capable as they are. I contract a perfectly capable third party who specialise in data destruction and do the job properly.

Back to the point though. Do stronger penalties work? I doubt it. Stronger penalties might motivate organisations to try harder but until we put an end to this break/fix way of running information security and start focusing on dealing with the problem – which is all about people and not about technology at all – then the incidents will continue to occur on a depressingly frequent basis. 
What is meant by a stronger penalty? One that’s so severe it puts the company out of business, or simply teaches them a harsh lesson? Make the penalties too severe and we’ll end up with an equivalent of the health and safety culture where nobody is willing to take any chances for fear of the consequences. Imposing penalties is not solving a problem, it’ll increase the fear of disclosure and lead to a “check-box” compliance mentality. Tackle the problem from the root causes and we might start getting somewhere.