I like the way Japan approaches data leaks. The government is able to fine a company a fixed amount per person (how much depends on the nature of the PII leaked) and are also able to prevent a company from trading for a period of time. I don't have any figures to say how well it works, but I can say that companies over here are bloody afraid of the consequences.