Sure, and in cases of negligence this is fine. The law even explicitly scales the punishment based on perceived negligence and almost always is only prosecuted in cases where the standards expectations aren't followed.

Ex - MMG for 2026 was prosecuted because:

- They failed to notify in response to a breach.

- They failed to complete proper risk analysis as required by HIPAA

They paid 10k in fines.

It wasn't just "They had a data breach" (ops proposal...) it was "They failed to follow standards which led to a data breach where they then acted negligently"

In the same way that we don't punish an architect if their building falls over. We punish them if the building falls over because they failed to follow expected standards.

Buildings don't just fall over, and security breaches don't just happen. These things happen when people fuck up. In the architecture world we hold individuals responsible for not fucking up--not the architect, but instead the licensed engineer who signs and seals the structural aspects of a plan. In the software world we do not.