Kent-based insurance firm Jubilee Managing Agency has been found in breach of the Data Protection Act by the Information Commissioner's Office.
The case highlights the importance of encrypting data on any device to ensure that information is safe even if it gets into the wrong hands.
Jubilee Managing Agency, which is part of Lloyds, lost an unencrypted disc which contained the personal details of 2,100 people.
A review found a lack of detailed data security procedures and policies, and insufficient staff training in the agency.
Sally-anne Poole, head of enforcement and investigations at the Information Commissioner's Office (ICO), said that since November 2007, 161 data security breaches have been reported to the ICO in the private sector.
"We urge all CEOs and their senior management teams to ensure data protection is treated as a corporate governance issue affecting the whole organisation. All organisations need to make sure that safeguarding the personal information of customers and staff is embedded in their organisational culture."
Andrew Kahl, co-founder at security suppler Credant Technologies, said although the insurance firm blamed the data breach on a lack of staff training and poor data handling procedures, there is no excuse for not encrypting data.
"The reality is that all firms need to adhere to IT security policies involving encryption of staff and customers' personal data," he said.
Richard Taylor, director at business consultancy LPI2, said there is a move in the insurance sector towards using digital rights management software to protect data. This software make data inaccessible if, for example, it is put onto a different device from the one it legitimately resides on.
He said insurance companies are particularly vulnerable to data theft because they have to keep information for many years to help them calculate their insurance charges.