I think it would be useful to re-examine the way we deal with the so called "data breach”. General Patton said plans should be simple - and made by those who would implement them. In the world of data breaches I believe we could do better if plans were made by actual security practitioners rather than by committees of policymakers.
The existing system is probably nonsensical now that merchants are facing structured threats who outmatch them a thousand fold. When commercial airliners were targeted by terrorists, we did not order the airlines to become impenetrable to terrorism or else face horrific penalties. The airlines don't know anything about counterterrorism; few would argue that they should be expected to defend themselves. Instead, the state - which has exclusive jurisdiction on the use of force - took offensive and defensive action to respond the threat. Why then does it make sense to penalize merchants and retailers for being victimized by well-organized for-profit structured threats who may even have state sponsorship (or at least enjoy tolerance by friendly or indifferent governments)? I propose 1) a simple metric system that we can use to continuously evaluate success / failure of corporate security programs, providing 2) an end to the existing breach notification / lawsuit parade so we can use that time and money constructively elsewhere 3) more offensive action by state and law enforcement and 3) seizures of monies from these for-profit actors by law enforcement - so we can use this money to do good things (like expand Infraguard) and help the cause of the defense (and help make the problem pay for itself).