Company gets hacked, sue the company. The company is a victim, and the end user provided the data. In the cases where you did not have to do business with said company, the end user is as much at fault for providing the data. Meanwhile we do nothing about the bad guys that actually committed the crimes. We obviously can't let the companies just say "it's not my fault, blame the bad guys" because then they will get so slack about security that there won't be any. The bad guys probably can't be found or possibly reached because they are across international borders. It's a no win situation but until the bad guys can be held responsible this situation will not improve.
Sounds good but rich people didn't get that way by eating the loss of such things. The cost of it will get passed on the the customers while not resolving anything.
