An event on the scale of the HMRC's lost data debacle would have cost a private company at least £4bn, according to insurance broker Jardine Lloyd Thompson.
Using a US model the company's Cyber & IT Risks division has calculated how much HMRC could have lost if it had been a private company.
Jeremy Smith, head of Cyber & IT risks at Jardine Lloyd Thompson, said in the US legislation means companies have to report data leaks and when this happens the company responsible faces costs including offering customers bank account monitoring services and having to notify customers.
He said credit monitoring, which costs on average £50 per year, would probably have to be provided for three years which for 25 million customers would have cost £3.75bn.
It would also cost around £250m to change all the customers' bank details, £7.5m just to notify customers by letter and a further £200,000 to carry out forensics to find out what went wrong would.
None of this includes costs that can be incurred if customers or the banks affected sue, said Smith. "If the details do get into the wrong hands and fraud is committed the costs can be enormous. The banks usually pay this but if they can prove that the company has been irresponsible they could sue," he added.
He said US legislation regarding the protection of customer data means that companies are liable for massive costs in the event of leaks. "We sell a lot of policies to cover this in the US and it is starting to pick up in the UK."