There has to be a better way than just adding another deterrent to starting a company. Could there be an industry standard for storage security? Certification (a known hurdle) is better than "don't fuck up or we'll fine you to death".

Regulate software development. Other industries already do this.

You could: - make Software Engineer a protected title that requires formal engineering education and mentorship as well as membership to your country's professional engineering body (Canada already does this) - make collecting and storing PII illegal unless done by a certified Software Engineer - add legal responsibility to certified Software Engineers. If a beach like this happens they lose their license or go to jail. And you easily know who is responsible for it because it's the PEng's name on the project - magically, nobody wants to collect PII insecurely anymore or hire vibe coders or give idiots access to push insecure stuff - bonus: being a certified Software Engineer now boosts your salary by 5x and the only people that will do it actually know WTF they are doing instead of cowboys, and that company will never hire a cowboy because of liability. The entire Internet is now more secure, more profitable for professionals, and dumb AI junk goes in the trash

I think fines are very reasonable. If you can’t safely do the thing, you should be punished for doing it. If you can’t safely safely do the thing then there is no issue.

Certification is essentially "don't fuck up or we'll fine you to death" with extra steps. Especially because it mostly comes down to the company self-verifying (auditors mostly just verify you are following whatever you say you are following, not that its a good idea).

Its not like anyone intentionally posts their entire DB to the internet.

Professional Engineer (PE) certification for cyber security professionals would help.

Without personal and professional consequences, the default 1 year of credit monitoring for weak security is just the cost of doing business.