This can't be done in the modern financial system, I'd recommend holding senior execs and the members of the board responsible instead.

Shareholders may well be based overseas so it'd be very difficult to actually enforce the fines. They might also use overseas limited liability investment corporations, so fines would just bankrupt those companies leaving the actual shareholders never falling below zero.

There's also the political issues that'd come from potentially giving fines to millions of people because their pension funds invested in a company that had a data breach.