The end result will likely result in more companies wasting time of useless theatrics like PCI compliance to protect themselves from legal liability rather than meaningfully protecting users data and preventing their systems from being launch points for bigger attacks.
This is why I'm highly doubtful about the ROI of burdening companies, courts, and law enforcement with this 'solution'.
Even though it feels good to punish a faceless corporation for making a seemingly obvious mistake.
What's wrong with a PCI-like compliance that ensures companies that affect this many people have their servers patched on a regular basis?
Rubber stamps like PCI compliance might look like time wasters. Not all of them are. Given the huge increase in the amount of online credit card transactions, the number of cases where payment information is compromised is very low. That is partly due to PCI compliance IMO.
This is why I'm highly doubtful about the ROI of burdening companies, courts, and law enforcement with this 'solution'.
Even though it feels good to punish a faceless corporation for making a seemingly obvious mistake.