This is why I've said for years: If you want to drive best practices and policy with companies you can only do it with liability. Particularly non-insurable and non-tax deductible liability. If a company can't offload civil or criminal penalties to their insurance company and take the tax write down, they suddenly start caring about it.
That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later.
On an emotional level I feel the same way: I would love the company who leaked my PII die and their CEO/CTO be out of job forever.
Practically I think that leaking data is inevitable. A junior developer absolutely WILL vibecode a piece of code with glaring security vulnerabilities. An experienced sysadmin WILL temporarily allow public access to the S3 bucket and then forget.
So if you make sure liabilities are covered by corporate assets and are uninsurable, you will find out a world with no services soon.
I don't know what middle ground is possible to find here.
> Particularly non-insurable and non-tax deductible liability
Too often liabilities exceed assets, or the liabilities are externalised.
Liability doesn't work as an incentive for many risks. For uncommon but extreme risks, it can be better to roll the dice on company failure than regularly pay low amounts for mitigation.
It is especially effective to ignore liabilities when a company has poor profitability anyways.
And then you see major companies sidestep the costs of their liabilities (plenty of examples after security failures, but also companies like Johnson&Johnson).
That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later.