Award $100 every time a customer has data that leaks
We actually changed our laws in the UK recently regarding this. Companies can be fined up to 4% of their annual profit or up to £17 million (I think that was the figure, can't recall) for user data being leaked or stolen if the company is found to be liable in any way.
That's a start. Percentage fines or fines that scale by the number of victims (without a cap) seem like the only thing that would actually carry real consequences. 17m quid to company like HSBC is nothing. It has to be an existential threat to the company.
In any case, I'll be curious to see how that works out in the UK.
It is nothing to large companies, but as far as I can tell, there is nothing that would stop a company from being fined multiple times for the mishandling of each person's data. I doubt there will ever be a case where a company is fined millions for each person's data being stolen, but it does mean that 17 million is not technically the cap.
Or because they have seen from the numerous breaches and security incompetence that there are no major consequences from their mistakes. Compliance and proper security costs money and most of the time shows no obvious benefit.
Just issue some press releases saying you take security seriously and say you're cooperating with law enforcement to find the responsible parties. In a few weeks/months people will completely forget after they hear about the next breaches.
Security can be solved. Simple make the consequences from breaches too large to ignore. Award $100 every time a customer has data that leaks. I guarantee you security will be taken seriously then. This will never of course be implemented because corporations buy out politicians, and this serves the interests of the people, not them.