The chief executive of Viasat's UK division praised the ICO's efforts to police the public sector, but claimed the private sector "still has a relatively free rein".
"While the ICO offers free training and auditing to organisations to help address these issues, so far the private sector in particular has been slow to take them up meaning that further incidents may be waiting to be discovered," said Chris McIntosh.
Public sector organisations might be more susceptible to the ICO's toughest penalties because they handle sensitive data on a day-to-day basis.
But commisioner's office told the BBC it would impose financial penalties whenever its criteria were met "regardless of the sector the organisation falls into".
"The course we choose will always depend on the circumstances of the individual case," an ICO spokesman added.
Since the period detailed in the release, data breaches have continued to occur.
Recent examples include the accidental publication of the home and email addresses of 38,000 people who applied to run the London Marathon; loans company Student Finance England sending an email to 8,000 customers which included other recipients' email addresses; and Scotland Yard sharing email addresses of more than 1,000 victims of crime with other victims.