That's a defeatist attitude. If you make companies liable for this, they'll start paying more attention to security. I'm not a trained security expert, but did have to explain this year why not to store plain text passwords in a database. Security is seen as secondary to product across the board. We need penalties to change this.