Sorry, I agree with nellwal - accountability is the only way. There is some "accountability" that users / customers trust the company less, you lose some business, but the public memory is actually very short (and business has no memory at all as long profits go up - a penny..)

What's the difference(?) - a network admin leaving the network open (or being overprotective as we have seen) and very definitely punished or even jailed, a corporate doing the same thing - what is the outcome?

All the cries of how difficult or how expensive it is to make secure systems is just that - cries! Sorry (again) 30+ years securing business (not just IT because it doesn't make any sense) - let's try again - real security is not technology, tools or toys, it is a process and not difficult nor expensive if done up front! As an afterthought - sometimes almost impossible. Forget (well, not totally) the IT security, certificates, vendors, etc - start thinking security as a business function, part of the corporate. I know, it is not easy, the vendors sell "solutions", much easier - just think before you jump!

Actually, the comparison of money lost, etc makes no sense - or are they going to pay the individuals the lost time, lost business opportunities, cost of creating new credit profiles, etc - not even asking any punitive damages - just $500/h or maybe for a lawyer $2000/h of all the personal time wasted trying to fix it. I didn't think so!