The HMRC data disaster brought to mind a bucket. A bucket full of water. And a bucket full of holes. And a bucket full of water and holes and which, therefore, leaks remorselessly. But no matter how much the bucket leaks, it never empties. Never. It’s always full of water. It sounds like a sorcerer’s apprentice’s nightmare. And in a way, it is. Because although two CDs containing data relating to 25 million beneficiaries of child benefit has been lost, the fact is that the data itself hasn’t been lost. Data is probably the only thing that can be stolen or carelessly mislaid, while never actually being lost. Ctrl-c, ctrl-v has a lot to answer for. Ditto drag-and-drop. Hence the bucket: data can leak out of an organisation, and yet never be lost.

Imagine for a moment what would happen if the leak of data meant its permanent loss. Imagine slapping the details of 25 million people onto a couple of CDs and the data simultaneously and permanently being wiped from the computer whence it came. (If it makes it easier to get your head around this concept, try imagining removing 25 million Roladex cards and then shipping them in a few dozen crates.) You would take a lot better care of your data if you could actually, permanently be deprived of it like this.

This then brought to mind the issue of risk, which also features quite heavily in this month’s magazine: if the downside of having data stolen is simply that someone else has a copy, then there’s certainly nowhere near as much downside as if the data had actually been lost. Companies would take so much better care of the information in their possession if improper use or copying of data meant that they would no longer have it themselves. That’s the way it used to be. And this could well be a good starting point for a data security strategy: to treat information as precious as if the organisation could be permanently deprived of it. If the data is so valuable that you would pay a fortune for its safe return, then it probably makes sense to prioritise its security.

Simple concept, more difficult in practice. Moreover, it’s not exactly true to say that data misuse has no downside. The reputation of HMRC has certainly taken a knock but that’s no big deal. We’re still going to have to pay our taxes. For companies in the private sector, though, reputational risk is very real, if a little intangible. When companies such as Norwich Union get hit with a £1.26m fine, that does make the eyes water. Perhaps what is needed is some really swingeing financial penalties in order to bring home the fact that data comes with bone-crushing responsibilities.

But I readily concede there wouldn’t have been a lot of point in fining the taxman.