A third of British security professionals are unaware of the maximum penalty the information commissioner's office (ICO) can award for inadequate data protection.
Only around 60% of professionals knew that those found negligent of data protection standards can be fined up to £500,000 depending on the sensitivity of data and scale of the loss.
John Michael, chief executive of iStorage, said: "It is important that everybody dealing with sensitive data in the workplace understands the potential financial and reputational repercussions if it can be proved that the data they are handling is not protected properly.
"However these survey results show that this simply is not the case."
Over the last two years 36 fines have been awarded averaging £120,000, with the greatest fine being £440,000 against the joint owners of Tetrus Telecoms for sending unsolicited text messages, a decision subsequently overturned.
Most recently the ICO said it was considering an investigation against travel site Hotel Hippo for an alleged breach in which a URL could be altered to reveal customer details, shortly before the service was shut down.