Its Breach Report 2008 looked breaches across five categories - data on the move, accidental exposure, insider theft, hacking and subcontractors.
The study concluded that while the financial, banking and credit sectors have been the most "proactive" industries in terms of addressing data protection issues, there are indications that many institutions are still failing to properly protect crucial information.
The ITRC's figures show that just 2.4 per cent of breaches involved data that used encryption or another form of strong protection.
In addition, only 8.5 per cent of security lapses involved data that could only be accessed using a password.
"It is obvious that the bulk of breached data was unprotected by either encryption or even passwords," the organization said.
The body warned that subcontractor beaches were particularly risky because while they are only counted as one incident, they could impact on "dozens" of firms.
Founded in 1999, the ITRC is a non-profit organization that works to promote greater understanding and prevention of identity theft.