I personally don't handle data that's as critical as the data the government and their contractors (mis)handle on a daily basis.
However, I have to say that I consider ANY data that isn't my personal data to be vitally important to the owner or those the data might refer to. My own data's pretty important to me to, because I know what the implications of data loss can be. So my security is my affair.
I'm constantly appalled by the cavalier way such data is treated by customers themselves.
It has to be said that by and large the people in question are basically, muppets.
They have little or no conception of the risks they take on a daily basis - worse, they won't be told. They assume everyone else is stupid, they are smart, and it couldn't possibly happen to them, so precautions are a sensless waste of their, oh so valuable time.
Myself, I've never (yet) lost data by 'loosing' a USB 'thumb drive', CD/DVD, external HD, or a laptop (a laptop FFS! HOW do you manage that?).
Customers REGULARLY loose USB 'thumb drives' and CD/DVDs.
No one I deal with has yet managed to loose a laptop, though with a couple of them I feel it's only a matter of time...
Yes, the Government is ultimately to blame. The decision to employ staff/consultants is their responsibility.
But, it's abundantly clear that individuals and firms are being employed who are of the caliber of many of my customers.
'It won't happen to me, because I'm too smart / know what I'm doing / don't need to waste my time taking precautions'
'Muppets'. All parties involved.
The solution? Accountability. The buck stops at the Cabinet Minister in questions desk. No more 'investigations' designed to stall the matter until it's forgotten. No more 'It won't happen again' - because it clearly will.
'You lost xxxxxx? - clear your desk'
'Your downstream staff member lost xxxxxx? - clear your desk'
'Your firm lost xxxxxx? - contract terminated and no further employment'
'Your department engaged this firm that lost xxxxxx? clear you desk and kiss your pension bye-bye'
Also - since the government is so damn keen on databases, how about a database blacklist of individuals, firms and directors of firms involved in data loss incidents? So it is possible to ensure none of the individuals involved are ever employed on government work again?