But we had policies and procdedures in place!!!
Data loss fiascoes always come with the yap "the established policies weren't followed" or "oh gee, the policies were followed but they didn't work."
Everybody with an IQ over, say, 65, knows perfectly well that written policies aren't good for much of anything except bum wipe. If your IT systems don't actively enforce those policies, they aren't even good for that fundamental purpose. (Yes, the pun is intentional. Mea culpa, mea maxima culpa.)
Management mandarins have a touching faith in the efficacy of written policies and consistently forget that the sinful masses always take the easy way out. If a policy stands in the way of convenience, too bad for the policy!
They're just like the Bolsheviks in NuLabour who, in their drive to create the New British Wo/Man (a la the Russian Bolsheviks' New Soviet Man), have passed innumerable laws against behavior and thought contrary to their ideals. Oddly enough, the crime rate goes up, the crimes become more horrific, the police squander their energies imposing draconian penalties on trivial offenses, and the government demands another round of laws against whatever is today's flavor of antisocial behavior.
Turning back to IT, prevention of data loss debacles requires that IT systems actively prevent confidential information from being held locally on PC's or being transcribed to CDs. I suspect the only effective way to achieve these goals is to go back to mainframes with dumb terminals.This kind of regimen also implies "no taking work home on your laptop." The proof of that assertion is left as an exercise for the reader.
The only cure may be to impose absolute liability on not only organizations, but also on their managers and directors, for any dataloss by their organization. Financial liability, at that, say to the tune of £10,000 per individual whose privacy has been compromised. It has to be vastly more expensive to allow data loss than to prevent it from happening in the first place; otherwise the beancounters will neuter any serious attempts to protect data confidentiality.
There's also the minor detail that the possibility of personal banktuptcy focusses the mind marvelously on the issues at hand.One might want to further heighten management angst about data loss by declaring anyone responsible (sensu latu) for such loss is forbidden to ever again work in a position of responsibility or authority.