Failure to put existing security policies into effect is another common failing, said Smith, showing that people remain one of the biggest challenges to getting information security right.
Another common thread running through most data breaches both past and present is that personal data is not properly valued, he said, mainly due to a lack of proper management structures.
This all means that improving governance and accountability is still "absolutely key" for many public and private organisations, said Smith.
The ICO's new powers to impose fines up to £500,000 and conduct spot audits, which come into effect from 6 April 2010, will help get the message home, he said.
The ICO's mission will also be aided by other legislative changes, such as the possible introduction of a data breach notification law in the UK, said Smith.
"Within 18 months data breach notification will be required by law in the telecoms sector in line with EU directives and I can see this being extended across all sectors within three years," he said.
Custodial sentences for individuals found guilty of deliberately selling information or gathering information under false pretences are also a possibility, said Smith.
"The government is consulting on prison sentences for these types of data offences, but we are unlikely to see any new legislation before the general election," he said.
This story first appeared on www.computerweekly.com