Security firm says companies are responding too readily to news reports.
Rik Ferguson of security firm Trend Micro has criticised data protection fines for not being high enough after a survey by the firm showed prominent breaches were driving better data protection.
Almost 70% of businesses were found to be rethinking their data protection policies in the wake of breaches against the likes of eBay, Kickstarter and Adobe, while a quarter were taking no action.
Rik Ferguson, VP of security research at Trend Micro, said: "That businesses are being prompted by news coverage of big breaches suggests that the current penalties aren’t doing their job.
"Driving change is what the fines are meant to do: the financial incentives aren’t big enough at the moment."
British data protection agency the Information Commissioner’s Office (ICO) can only fine firms up to £500,000, but new EU data regulations will raise the bar to as much as €100m or 5% of global turnover.
Ferguson said that the new fines should attract the attention of the C-level executives if they are implemented.
"It’s not just the fine that a business has to pay, it’s also a big hit to their reputation," he added. "That means businesses should not be complacent about their existing security provision."
A spokesman for the ICO said: "Our research clearly indicates civil monetary penalties have a positive impact on organisations data protection compliance and practice.
"This includes improved policies and practices; increased staff training; greater senior management buy-in and higher organisational awareness."
Just under a third of companies said they were raising staff awareness as a means of protecting themselves, while nearly two-thirds were implementing encrypted passwords.