Someone really needs to:
a) Read the Data Protection Act
b) Review the case law (so even if the DPA doesn't say it explicitly, the courts have already ruled that NOT encrypting is failing to reasonably protect data)
c) Check out the ICO's own advice pages that have said things like this for years, under the various recommendations etc. sections:
"The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued."
d) Card details, especially, should be encrypted to be PCI DSS compliant. You are PCI compliant, yes? Of course. Because not being able to take money when they stop you processing cards will hurt your business more than any data leak would on its own.
e) Get off your butt and encrypt things anyway, just as a normal part of corporate IT.
P.S. The latest DPA has PERSONAL LIABILITY for protecting data. Failing to encrypt, if that would be considered a reasonable measure for the data (hint: Yes, it would) could well see you before court, especially if you're an IT guy who has responsibility for such things or (worse) you're the named data controller.
DON'T WHEEDLE YOUR WAY OUT OF THIS.
Biting the hand that feeds IT
